Due to this pandemic, many of us are forced to work from home remotely. With this sudden change, many companies made it mandatory for workers to sign up for multi-factor authentication (MFA) for their online accounts. For many, this term is completely new. Fortunately for you, this article will help you to become more aware and understand it better.
What is MFA?
Multi-factor authentication is a security control that asks users to verify themself in more than one way. For example, in addition to entering your password, you might be asked to provide a special one-time code that is generated from a mobile app or sent to you in a text message. Your password is something you know, so an additional thing could also be something we have (like a physical code generator aka Keyfob ).
Something we know could often include things such as our passwords, Personal Identification Number (PIN), or security questions. The something we have could include items such as a mobile device, tokens, or a smart card. Combined, these provide Multi-factor (aka two-factor authentication). We can also add something we are, and these include biometric aspects such as iris scans, fingerprints, or voice recognition. Creating a three-factor authentication scheme. If a four-factor authentication is needed one’s location can also be used. Depending on the level of security needed your company would decide what number of authentications is to be implemented.
If the authentication process is using more than 2 ways to validate, then we can no longer say 2-factor, so it’s better just to say Multi-factor authentication.
Why do we need it now that we are working from home?
For many of us, switching to remote work happened overnight. Sadly, this for us, this also benefited the favour of the attackers. With remote access, we can no longer see someone at their workstation to verify that it is them communicating with the system. Hence the chances of a data breach are higher. Emails have become one of our most used forms of communication. This gives attackers to easily try to exploit you using methods such as phishing schemes, spams, and also malware to get access to your corporate credential. This makes MFA our best friend. Even with your credentials being compromised, attackers would have a harder time to fully breach your account as they may also need access to an additional thing, such as your fingerprint, phone, etc.
Threats to protect against while using two-factor authentication via mobile phone
Multi-factor authentication was introduced to help keep users’ logins as safe as possible online. However, this doesn’t mean we are completely safe. MFA is an extra step of security. This means that attackers have to find clever ways of getting you the user to assist them. Some of these popular methods when authenticating with a mobile phone are:
- Vishing – if the method you use to authenticate is via phone call, an attacker can use this against you. Once they compromise your username and password, getting you to approve the login would be the last wall. This usually comes in the form of a call you get telling you that you need to authenticate your account on an upcoming call. They may try to convince you that your account was hacked and you need to verify that it’s you. Once you authenticate your account when they send the request, they then have complete access. As a precaution always contact your IT team if you get any strange calls asking you to authenticate your account and never approve access unless it is you signing in.
- SMS – attackers can also use text messages to coerce you into giving them access. They may often try to sign in, resulting in you getting the authorization code. Then use many different schemes to then get you to send them that code. It is a great practice to never re-send any authorization codes you may receive. This same principle also applies to one times passwords.
- QR codes – many authentication applications ask you to scan a QR code when signing up. This links your account to the app. Any QR codes generated by your account should be protected and never shared. These applications usually allow you to add more than one device to your phone, in case you lose your phone. If you were to share an unused QR code from your account with someone else, they would be able to register another number device on your account. Hence they would be able to sign in and use their device to authenticate the login. They could even remove your number if they wished. You must never share your QR code with anyone. Also, contact your IT team if you notice any strange numbers set up to your account and also change your password immediately.
As we sit comfortably from our homes working now, cybersecurity is one of the most important things for our companies. Everyone shares this responsibility. Passwords alone can no longer protect us. Multi-factor authentication doesn’t only stop in the world of work; MFA can also be enabled on social sites like Facebook and even your personal email. Registering your accounts for multi-factor authentication is a simple way that you can contribute to protecting your accounts online.
Chanthea Quinland from Antigua and Barbuda contributed this article. Chanthea is a member of WISC (Women in InfoSec Caribbean), a Discord group from the G5 Cyber Security Foundation Ltd. Learn more about WISC at wiscaribbean.org. WISC is a non-profit initiative supporting Caribbean women and girls to develop a career in Information Security.