Multi-factor Authentication

Hi. Craig Peterson here with a blink into multi-factor authentication.

Two-factor authentication, also known as multi-factor authentication, provides some of the highest levels of security available — Something you know along with something you have.

Many websites, such as Facebook, YouTube, and your bank, give you the option to turn on multi-factor authentication. And most of the time, they are using SMS (or text messaging) to send you a text with an authorization number you enter right after you’ve given your username and password.

If someone is trying to hack into your accounts, such as a roommate, or ex-business partner, there’s a good likelihood that they know your phone number, and it’s the first step to a crime called “Sim-Jacking.” They probably know enough about you to convince the phone company to transfer their phone number to a phone that they have. Once your number is transferred, they’ve got your verification code comes in via text.

Using hardware tokens, or authenticator Apps such as 1Password, Google or Microsoft Authenticator, solves the Sim-Jacking problem since there is no SMS-based authentication code. The code shows directly in your Authenticator app, and you type it in.

The risks?

If you don’t have your smartphone with you, you may lose access to the web site.
Some people become overly confident that they’re safe because there’s using multi-factor authentication. You’re still vulnerable to Phishing, and if you’re using text messages for two-factor authentication you’re highly vulnerable.

If you’re using an authentication app, you might also want to have SMS available as an option. I keep a dozen one-time passwords available that I can use if I lose my device.

Multi-factor authentication (MFA)

Requires the simultaneous use of two or more pieces of multiple pieces of identifying information to verify your identity.

It means that if a hacker is able to grab your login credentials they are prevented from accessing your account.

Authentication categories include:

Something you know

It is your passwords or pre-established answers to questions. Use 1Password to create and store your strong and unique passwords as well as answers to your security questions. I recommend that you never use real information to answer those questions and never use the same answers to those questions for different sites.
Something you have

Often these are physical tokens may be key fob, USB drive or SmartCard. This token is used along with your password to gain access to your account. There are software-based tokens that are quite popular as they generate a single use login PIN or personal identification number. Some are SMS messages, emails or phone messages to retrieve the PINs. Because they can only be used once even if they get intercepted during the transmission they cannot be used to access your accounts.
Something you are

There are a number of authentication methods that can be used. These often are biometric identification and include retinal or iris scans, facial recognition, voice recognition, signatures or keystroke movements or fingerprints.