“Your password has been hacked!”
“**Insert random site** has had a security breach!”
It has begun to feel as though headlines like the ones above have become commonplace in the news. As malicious groups continue to attempt to stay one step ahead of security standards, it’s becoming more and more difficult to put your trust in websites that you log into. You may have read our recent blog post regarding password complexity. And while it remains as important as ever, there is another security measure that should be used whenever possible: Multi-Factor Authentication. If that term doesn’t ring a bell, that’s okay. You might already be using Multi-Factor Authentication and don’t even realize it. Do you get a text message with a code whenever you attempt to log into your bank’s website? Do you open an app on your cell phone to authorize your new Facebook login? If you answered yes to either or perform similar actions with other sites, you are currently utilizing Multi-Factor Authentication. Great job! Multi-Factor Authentication is the act of authenticating your login using a combination of security factors: Something you know such as your login credentials and something you have such as your mobile device.
So how can you better protect the security of your accounts through the use of Multi-Factor Authentication? Let’s take a look at the ways that you can help maintain control of your data access.
There are quite a few methods that can be used for Multi-Factor Authentication. Today, we’ll be focusing on the two most common methods: mobile applications and SMS (text message) authentication. Let’s take a look at how each method can benefit you, as well as what their drawbacks may be.
Before we start, it is important to note that not all websites/services support all methods of Multi-Factor Authentication. But regardless of the methods available, any method is better than none. If the service does not make it clear what methods of Multi-Factor Authentication are supported, or if you just need assistance with learning how to activate the site’s Multi-Factor Authentication feature, check their Help documentation or contact their customer service department.
With the bulk of people utilizing a smart phone on a daily basis, it’s no surprise that a downloadable app would be a common method for Multi-Factor Authentication. There are a variety of apps available for the task with three of the most common being Google Authenticator, Authy, and Duo Security. Depending on the site’s configuration, these apps can provide Multi-Factor Authentication through the use of push notifications or via temporary security codes.
If the site in question supports it, push notifications are the quickest and easiest way of protecting yourself with Multi-Factor Authentication. Upon logging into the website, you’ll receive a push notification on your mobile device asking if you approve of the login. With no more than a few screen clicks, your Multi-Factor Authentication process will be complete.
Using push notifications for Multi-Factor Authentication has large benefits due to its ease of use and convenience. However, its convenience can also be seen as a drawback. It is important to never allow yourself to become numb to the incoming notifications by letting yourself get into the habit of approving it anytime it comes in. You should only approve of the requests that you are expecting to receive. If you ever receive a push notification for Multi-Factor Authentication that you were not expecting, change your account’s password and contact the website’s support department immediately. In addition, push notifications will only work if your mobile device has an active internet connection such as WiFi or cellular data.
Temporary Security Codes
Also referred to as One-Time Passwords (OTP), temporary security codes can be utilized within your Multi-Factor Authentication mobile app by generating a password (normally numeric) that only works for a brief period of time. After logging into the website in question, you are then prompted to enter your security code which is displayed on the screen of your mobile device’s app. A single application can be used to store the temporary security codes for a multitude of websites and services.
It seems like sorcery in a way. How can the website possibly keep track of a random password that changes every 30 to 60 seconds? During the setup process of your Multi-Factor Authentication, your mobile device and the website perform a secret handshake that utilizes the current time on your clock to get in sync. Your mobile device and the website used the same algorithm as each other during the secret hand shake which allows them to know what number each side should be seeing at any particular time. This method also allows your Multi-Factor Authentication to continue working even if your mobile device is offline such as when there is no signal or the device is in Airplane Mode. It’s largest drawback is the lack of convenience in needing to manually open up the application to get your current code and then type or copy it into the website.
Very similar to the Temporary Security Codes mentioned above, the other of the two most common methods for Multi-Factor Authentication is the use of SMS (text message) authentication. When setup, the website’s servers will send your mobile device a text message containing your temporary security code which can be used to complete your Multi-Factor Authentication process.
When using SMS authentication, you get the convenience of a push notifications but will still need to type or copy the code into the website you are logging into. This method is great for anyone who would like to keep their installed mobile applications to a minimum or for anyone not in possession of a smart phone. As long as the mobile device can receive a text message, SMS authentication will suffice.
Similar to the drawback mentioned within the Push Notifications section above, it is important to only utilize codes received if you were expecting them to begin with. If you receive an SMS authentication request from a site that you were not trying to log into at the time, change your password immediately and contact the website’s support department. Although much more secure than a lack of Multi-Factor Authentication altogether, SMS authentication is the less secure method available due to its only dependency being your cell phone number. If your cell phone were to become lost/stolen or if your cell phone number were to be compromised, there is a larger chance of Multi-Factor Authentication becoming compromised as well, when compared to a mobile application that is protected further by the device’s security lock.
Tips Regarding All Methods
Regardless of the method used for Multi-Factor Authentication, the following are some tips to help keep you protected.
- No one will ever call you to obtain a Multi-Factor Authentication code. A common scamming method in recent years has been that malicious individuals call pretending to be an employee of Facebook/Twitter/etc. stating that they need your security code to verify that you own your account. Do not ever provide one!
- Hide those details! On most cell phones today, your notifications will display even when your cell phone is in a locked state. For added security, disable the specific details of each notification from displaying until your device has been unlocked. This will provide an additional layer of security in the event that your cell phone gets lost, stolen, or is temporarily left in view of others. This action can be taken on both iPhone and Android by clicking the applicable links.
Each method listed above has it’s own benefits and drawbacks to consider. When available, the use of mobile applications for Multi-Factor Authentication is the more convenient and secure method of the two, but both provide significant security value:
- Mobile Application – Push Notifications
- Benefits – Most convenient method. Least amount of interaction needed. No codes to remember and type in.
- Drawbacks – Requires an active internet connection on the mobile device.
- Mobile Application – Temporary Security Codes
- Benefits – Can continue working even when the mobile device is offline. Many sites and services can have their codes stored within a single application.
- Drawbacks – Requires the most effort to utilize.
- SMS Authentication
- Benefits – Works with any device that can receive text messages.
- Drawbacks – Least secure of Multi-Factor Authentication methods.
The team here at Diligex uses Multi-Factor Authentication whenever possible because we care about helping protect not just our own data’s security but yours as well. If you are not currently a Diligex Managed IT client and would like information about how Diligex can help your business thrive, contact us using the following link: https://diligex.com/contact
If you’re already a Diligex Managed IT subscriber, thank you! Feel free to reach out to us at any time if you have any questions regarding your data’s security or would like to discuss ways to further enhance your company’s technology.