As we continue to use computers in more and more ways our reliance on passwords to protect our data becomes more and more risky.
We have all been told not to reuse our passwords and there is good reason for this. If I have the same password for my work, online shopping, social media and bank account if ANY one of those gets hacked and my password becomes compromised then ALL those sites are compromised as the same password will get the hacker into all of them. So the advice of not reusing passwords is a good.
Another problem with passwords is that internet sites can accessed from anywhere, great when you are on holiday, but it means that your hacker or the computer they are using to gain access can also be anywhere. Therefore more companies are introducing MFA to help protect users data.
Multi-Factor Authentication (MFA) provides another level of security. MFA is an authentication method in which a user is granted access only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism. What does that mean in practice? You need another piece of information on top of your username and password. Let’s look at an example.
With MFA you will be asked for:
Your username often your email address. If the site does use your email address this can be thought of as public knowledge as we give this out all the time, so we cannot expect this to be secret.
Your password – This should be only known to you.
An additional piece of information – this could be something you have, such as a USB stick with a secret token, a bank card, a key, etc. A secret you know, such as a Personal Identification Number PIN etc, some physical characteristic of the user (biometrics), such as a fingerprint, eye iris, voice, typing speed, pattern in key press intervals, etc somewhere you are, such as connection to a specific computing network or utilizing a GPS signal to identify the location.
As the use of mobile phones has increased one popular authentication factor is an SMS message is sent to your phone this message has a code which you must type in to gain access.
So, with MFA to gain access someone needs to know your username, your password and have for instance, your phone i.e. something that belongs to you. This is much harder for hackers to achieve. Particularly if they are not local to you.
MFA offers a much higher threshold of protection for users. It does however add some inconvenience. This inconvenience for users is in our belief far out weighed by the security benefits. For anything other than trivial applications it should be enforced it will be one of the first questions asked by the authorities should you have a breach and your customers will demand you implement this as they look at the compliance implications of The GDPR and government schemes such as Cyber Essentials.