So you're telling me that first I need a 12+ character password that I can’t reuse anywhere else and now I have to enable multi-factor authentication.... this is ridiculous!
I’m sure I have at least 1 reader who is thinking something along those lines. :)
In this article we will look into the current state of multi-factor authentication, what it is, what is changing, and why you should use it.
Using more than 1 authentication method to access a service, website, or device has been around since AT&T's patent filing in 1998.
If you have logged into a service/site with a user name and password then been asked for a piece of Personally Identifiable Information (PII... It's a thing); you have used Multi-factor authentication.
Authentication that includes a multi-factor authentication solution requires information from at least two of these groups below:
There are currently 3 types of multi-factor authentication:
When logging into a service/site you are prompted for the first form of authentication (typically a user name & password). Once you have successfully provided that you are prompted for a second form of authentication.
This second authentication will come from 1 device/platform and in one form (something you have/are). That could be a series of numbers that changes every 30 seconds from an app on your phone, an SMS text with digits you need to input, or a request for a fingerprint.
With 2FA you can only configure (1) second form of authentication. If you lose that device or you are in an area that doesn’t have cell reception you won’t be able to access the service/site.
This type looks and behaves similarly to 2FA. The main difference is that MFA will allow you to configure multiple second forms of authentication.
The first MFA prompt could be for a 6 digit code sent to your cell phone. You could also have your phone prompt you for a fingerprint or second password. If the device is lost you could log into the service by confirming other Personally Identifiable Information (PII).
2FA and MFA are the most prevelant and are often used interchangeably.
AMFA is the new kid on the block but will quickly become widely adopted due to its user friendliness. The ‘adaptive’ part of AMFA will greatly reduce the time needed to log into multiple services/sites that require MFA.
When you provide the second form of authentication to an AMFA service; the service collects data about where you are, what network you are on, and what device you provided that MFA from (to name a few).
When you launch a second service/site that requires MFA; the AMFA service references the previous MFA request (what network you’re on, what device you have...) and compares it to the current request. If the data is a match the AMFA service grants access without the user having to provide the second form of MFA.
With many services/sites requiring enrolment in MFA and many more on the way; the ability to provide the second authentication (1) time to gain access to all your MFA protected sites will save significant time.
AMFA also provides a layer of security called step-up authentication which is used when an increased risk task is performed.
Let's say you logged into your banking app and your AMFA service granted permission for the second form of MFA. You then, uncharacteristically, transferred a large sum of money. Step-up authentication would prompt you for the second form of authentication before allowing the transfer.
Social Engineering attempts have been increasing year over year. Even worse; the success rate has increased.
If you aren’t familiar with phishing tactics; read our 4 part cybersecurity series
Social Engineering is an attempt by cybercriminals to acquire your user credentials. Compromised user credentials in a service/site that also employs an MFA solution is a substantial roadblock to the cybercriminal carrying out their attack.
Once the cybercriminal inputs your compromised credentials they are prompted for a second form of authentication effectively stopping the cybercriminal in their tracks.
Just like hiding the cookies so your kids can’t get them; adding an MFA solution to your security stack won’t stop all cybercriminals.
A properly selected and configured MFA solution will significantly improve your security posture and make it more difficult for cybercriminals to compromise your data.
Social Engineering presents the largest risk for MFA security. Here are some tips for keeping your MFA protected data safe:
If you get an email asking for identity verification for a service/site with a convenient button to click.. don’t click it.
If you think it may be valid, go directly to the service/site and log in.
Cybercriminals do a great job of making rogue sites look identical to the actual site. Going directly to the site in a separate browser tab is your safest bet.
The only place you should input the key or requested MFA data is in the service/site during login.
If you are being asked to forward or reply with the MFA key/data; it is likely a Social Engineering attempt.
While logging in to a service/site and you are prompted for your second factor differently than before (before your first authentication, after you have been granted access...); this is cause for concern. Close your browser then re-open your browser to attempt login again.
Many services/sites are requiring MFA enrolment for their clients. That list is growing every day. The good news is MFA provides another layer of security for data and Personaly Identifiable Information (PII). That layer of security becomes even more effective when we are cognizant of Social Engineering attempts.
In a time when the average person is a user of more than 25 services/sites, AMFA couldn’t get here soon enough. Until then; we should be thankful that our data and PII is more secure with a properly selected and configured MFA solution... even if it does take an additional 3 minutes to log in.
Matthew worked with Agave IT Services as a Brand & Content Consultant through 2020. He managed our company transition from Agave Solutions Inc. to Agave IT Services (dba). From our Logo to our online presence and business operations platform; Matthew created a solid foundation able to support our growth into the future.
We are an IT Services and technology company serving the southwestern United States since 2003. We specialize in supporting, managing, and deploying technologies for the AEC industries' unique requirements. We differ from the typical IT service provider in that we handle ALL your technology needs, freeing you to focus on your core business.