How MFA works (and why you need it)
When you log in to your accounting software, bank website, Facebook or an Amazon account, you have a user name and password. Some of these sites also add some security questions to make sure it's really you. So with all this security, why would anyone need Multi-Factor Authentication?
So glad you asked.
Here's what the National Institute of Standards and Technology says: "MFA, sometimes referred to as two-factor authentication or 2FA, is a security enhancement that allows you to present two pieces of evidence - your credentials - when logging into an account."
MFA comes down to a double-check that you are who you say you are. If your user name and password have been compromised (or shared), this allows for a second confirmation in a different format. There are three formats available, so any combination of two increases the level of security and safety.
Knowledge - This is where the security questions come in. You are asked specific questions to prove you have the user's knowledge. Unfortunately, hackers troll Facebook and similar sites to "scrape" this kind of info that many people freely share on these sites; pet names, vacation home sites, things like that.
Also, if your credentials were compromised, information like your father's middle name may already be for sale and associated with your user log on. This one is still helpful, but insufficient all by itself.
Possession - This might take the form of a key fob that has been issued to you. The fob might receive a code that you need to enter. It could be a fob that is scanned at a security door. It could be an app that sends a code or a request straight to your cellphone for approval.
It might be a text to your cellphone or a call to a previously approved phone number. In each case, the "real" user has to be in possession of something specific in order to authenticate.
Inherence - Facial recognition on a cellphone has been around for a couple of years. You have to scan your face to unlock the phone. Have you heard of the Clear airport security program? They use a retinal scan to identify it's you, then walk you to the TSA person to get to the security screening. There are a growing number of computers that use fingerprint identification on laptops or security doors. These are more recent and open up new issues for businesses.
One of the concerns is when staff leave the organization. If their company cellphone or company computer requires facial recognition or a fingerprint, how are you going to gain access to the equipment?
A few takeaways:
• In the real world, we have to take our skills of filtering sales calls and apply them to email requests. "Be cautious as serpents, yet innocent as doves," as the saying goes. There's no room for naiveté or benefit-of-the-doubt. Be suspicious. Delete if unsure. Call the person to get clarity. Never send money anywhere just because you have an email request. Get serious about this.
• Resign yourself to the MFA/2FA reality; pick your poison when possible. If you have an option to send an authentication request to your phone or a separate key fob, you might choose your phone because you always have it with you (be sure you lock your phone). If it has to go to an email address, be sure you haven't shared the password with anyone else and that it's a strong password. It's the price of convenience, and it's a small price to pay to protect your data.
• Catherine Wendt is president of Syscon.