Multi-factor Authentication:Why You Need It to Protect Your Data
In March of this year, a security camera startup called Verkada was hacked, giving the cyberattackers access to over 150,000 security cameras. Among those cameras, some were inside jails, women’s healthcare clinics, Tesla, and even Verkada’s own headquarters. The hackers also gained access to all of Verkada’s archived footage.
The breach was made even more alarming as the hacking group’s methods were simple: they just found the username and password of a “Super Admin” account while it was exposed on the internet due to the lack of the network connection protection with a VPN or other protective measures. This attack highlights just how unsafe it is to only use single-factor authentication.
What is MFA?
Multi-factor authentication – MFA – is the process of verifying your identity to gain access to an online account or information using two or more steps. Most people are familiar with single-factor authentications – providing a password and username –as a measure to keep accounts and data protected. MFA takes it one step further – think of it as adding extra layers of protection to your information, or your organization’s information. A common example of MFA is a debit card – the first layer is the card, the second is the pin, and without both of those, you cannot access the account.
Why is MFA important?
As highlighted in the Verkada example, passwords, while they are the most common type of authentication, are a weak layer of protection. We tend to use the same or similar passwords for multiple accounts and choose things that are easy to remember and, as such, easy for hackers to figure out. If one of the platforms we use (say Facebook) gets hacked, attackers can try and apply the same password to all other accounts and, without MFA, are likely to gain access to at least a few additional accounts. Furthermore, hacked accounts’ info often gets sold on the dark web, meaning other hackers, too, will try to apply the same password to every account they can associate with a user. MFA is one of the easiest and most cost-effective ways to ensure everyone in your organization is protecting your data. In fact, it can block over 99.9% of account compromise attacks – definitely worth the few extra seconds it will take to log in.
What are the factors in multi-factor authentication?
MFA can be broken down into three major categories: something you know, something you have, and something you are. For an account to be protected using MFA it must require at least two of the three types of authentication to verify the user.
- Something you knowis a password or PIN. Most accounts already require this type of authentication, but always make sure that the passwords are strong and unique. That may seem like common sense, but according to a study done in 2020, the top 3 most common passwords were 123456789, 123456, and picture1. The next most common was simply password. These are comically easy for hackers to crack. So while it might be harder to remember a sequence of numbers, letters, and symbols, it will be well worth it for the added protection.
- Something you have can be a mobile phone or email. Getting a verification code sent to your mobile phone or email is great because you will not only be alerted if someone is trying to access your account, but without your device or email, it won’t be possible for them to proceed with their hacking.
- Something you are, or biometrics, can be a fingerprint or voice recognition. This is a highly effective method of verification due to the distinctiveness of biometric characteristics. The downside of using this type of authentication is that it cannot be reset, so if, by chance, this factor is breached, it is breached forever.Different types of common biometric authentication are fingerprints, retina scans, facial recognition, and voice biometry.
Finally, there is passwordless authentication and passwordless MFA. The former means that you can gain access to an account without ever entering a password; instead, verification consists of a more secure step, such as a fingerprint. It is often part of MFA. The latter – passwordless MFA – means that none of the multiple verification requirements for entry to the account is a password.
To secure both end-user and admin accounts, using MFA across the board is extremely important. Having a password and username simply doesn’t cut it anymore. Make sure all employees have and use MFA if they are accessing your organization’s data, on top of other safety precautions, to significantly minimize the risk of a successful cyberattack.