Multi-factor authentication


You might see it referred to as 2FA, MFA, or 2-step, but it all refers to having an additional authentication mechanism when we log in to a particular system. Our digital lives are comprised of hundreds of accounts across the various services, applications, and websites we use. Consider the following websites: Amazon, Facebook, Twitter, Google, Microsoft, LastPass, LinkedIn, etc… Any time you sign up for one of those services, you will have established a username and password. Your email address is likely your username.

Phishing attacks often revolve around stealing credentials. If a bad actor can convince you to enter your password into a form that mimics something you often use, those credentials have now been stolen, and without an additional line of defense, the attacker is free to log into that system with your account. If you re-use passwords, the attacker will then be able to log into various other services with the same credentials.

Credentials can also be obtained if a particular website or application is breached. In 2012, LinkedIn suffered a breach that resulted in over 6.5 million passwords being stolen. If your account was in this list, that password now likely exists in password list files that anyone can use when attempting to brute-force authentication. Thinking back to the password re-use example, it would mean that bad actors could iterate through various websites in an attempt to log in with known credentials.

This is where MFA comes in. When MFA is enabled, the authentication process will require your username/password combination, and something else you have (something you know, something you have). Today, we typically use an authenticator app installed on a smartphone, and the app presents a rotating code that must be entered at login. When you enable it for a particular account, you establish a relationship between your device and that service, so that the rotating code is synchronized with the authentication source.

In the stolen password scenario with MFA enabled, the attacker would be stopped because they do not have your smartphone which has your authenticator app and code for that website.

How to Enable

Enabling MFA has become a very simple process. There are a few authenticator apps, but I like Authy. It supports backups, you can find enablement guides for many things, and you can use it anywhere a site supports Google Authenticator. It is easy to do, free, and adds only a tiny bit of time to the login process. Find the following example for enabling Authy for use with Gmail:

I would encourage everyone both personally and professionally to install an authenticator app, enable it for as many accounts as possible (or at least your most sensitive), and tell everyone you know to do the same.

Corporate Networks

The same principals apply for corporate networks. NIST 800-171 and CMMC ML 3 both require that MFA be enabled for local and non-local connections. The process to enable that functionality requires a bit more planning, and that is where Bound Planet can help.