I still get a lot of people asking me about “multi-factor” or “two step”- so thought I’d share this so that everyone can make the most of using it to protect your accounts online. So how does multi-factor help? Let’s first explain some of the hacker techniques involved…
Stop hackers from accessing your accounts with your compromised credentials
The process the bad guys use these days is simple. Hackers find your user credentials in exposed breach data such as LinkedIn, Dropbox, Yahoo or others, and they then retry the same credentials across other sites and services. For those who use the same password across multiple sites – the hackers get access… simple.
The problem is that hackers have used technology to automate the process, so it’s pretty quick and easy for them to find a victim, which they then leverage for a variety of criminal purposes.
You can check to see if your user credentials are exposed by checking your personal and work email addresses in this handy website provided by Troy Hunt: https://haveibeenpwned.com/
Your email account – the crown jewels
Another consideration is if cyber attackers manage to get access to your email account, they can then reset your passwords to other sites or services, as most password reset capabilities work by sending a reset email to your registered email address. That’s way it’s so important to protect all of your online accounts and services that you use with two step, so that even if your user name and password credentials are exposed, you are still protected.
For those who aren’t familiar with two-factor otherwise known as two-step or multi factor auth (MFA) , learn by watching this short video below:
LinkedIn, Facebook, Apple and other popular companies now provide two factor as a security feature in order to protect their customers – which you might want to use given that breaches have become far too a common occurrence where usernames and their passwords are publicly revealed.
So what is authentication?
‘Authentication’ – the process of proving someone is who they say they are – is a critical part of being cyber secure. The aim of authentication is to ensure that only authorised people have access to particular information or systems which may be sensitive – such as email and bank accounts, social media or other online accounts.
The form of authentication you are likely to be most familiar with using is passwords (something you know).
However, while it’s important to ensure you use strong, unique and hard to guess passwords for each of your online accounts, the reality is that cyber-criminals have access to an increasingly powerful array of tools they can use to try and determine those passwords. As an example, if you have a password that contains a dictionary word, it’s easy for them to ‘brute-force” your password. If you use the same password across multiple sites, then you are even more at risk.
Introducing multi-factor – a second line of defense
Most online services including banks, social media and email accounts – now offer the ability to use an additional form of authentication to act as a further line of defense against cyber-criminals. This is known as a ‘second factor’ of authentication and is typically something you have (such as a phone or token that can be used to produce or receive and then display a random passcode).
When used in conjunction with a strong password, second factor authentication makes it significantly more difficult for cyber-criminals to compromise your online accounts because they have to break through two separate lines of defense.
For example, if your password is compromised through a malware infection on your computer, or through it being successfully guessed by a cyber-criminal, or even as a result of someone covertly watching over your shoulder as you enter it in (known as ‘shoulder surfing), your account still can’t be accessed without access to the second factor.
For this reason, it’s important for you to enable this option on your online accounts wherever possible – assuming you haven’t already.
Using two-factor authentication for your online accounts
Many of the most commonly used social media, email and banking services offer the option to use two-factor authentication, although it is not always enabled by default. While the exact process that needs to be followed to enable this feature will vary depending on the service, most commonly you will need to register your mobile phone number with the relevant service (this can usually be done online). Alternatively, you may be provided with a separate token or a pass-code generating application for your smartphone.
Then, the next time you login with your username and password, you will be sent a text message (or asked to use your password generating application or token) that contains a unique one-time code that you also need to enter into the website. You will only be granted access if you enter both your password and the one-time code correctly.
SMS tokens are not bullet proof, as unfortunately a criminal can steal your phone number (a technique called mobile phone porting or SIM swapping) and use it as part of a scam, hence why more companies use push notifications within apps as a second factor rather than SMS.
Where to from here?
More and more sites are using second factor as a way of protecting their customers. Below are some links where you can obtain more information about two factor authentication, and how to enable it on a variety of sites:
1. https://www.turnon2fa.com/ – a a site with detailed tutorials for enabling two-factor authentication on a variety of common websites & services such as Apple, Facebook, LinkedIn, and other popular sites you may use.
2. Two Factor Auth – provides a list of websites and whether or not they support two factor authentication
Feel free to comment below, or contact me direct if you have any additional questions about multifactor.