First, let’s start with authentication. If you tell me your name is Issac Malone how do I know that is true? Authentication is the process of verifying your identity or your claim of who you say you are. To authenticate yourself, you could show me your driver’s license or your passport, for example. Two-Factor (2FA) Authentication can be used to clarify who you are.
When interacting with a computer to log on to your bank account, the process is very similar. You start with your userid, your claim to being someone, say IssacMalone, then the bank’s website must authenticate you. Since nearly the beginning of modern computers, we have used a password to help the computer verify that you are logging on. If you have the userid of IssacMalone and the password of ILoveMyCat (and that is the correct combination), the bank’s website can confirm your identity and allow you access to your account.
There are three factors of authentication that a server/computer/website can use to verify your claimed identity. They are:
A knowledge element, something you know, could be a password, a passphrase, a PIN, or a secret fact about your life.
Something you have could be something physical like your cell phone or a one-time password generator like the token from RSA. It includes something physical like the RSA SecureID or software like the google authenticator app for your phone.
Something you are is a fact about your body that can be a bit invasive, like a retina scanner. The retina scanner looks at the blood vessels in the back of your eye (just like your eye Dr. every year). Biometrics could measure something static, such as your fingerprint, which was formed when you were just a wee baby in your mom’s belly. Biometrics can be something that changes almost moment by moment. An example of that would be the pattern of your walk or how fast you type your password.
Moving to 2FA require that two of those three characteristics are used to verify you are who you say you are. It is common in the US to use a password (something you know) and the four+ digit number you receive as an SMS text message (something you have).
In January of 2021 Ubiquiti announced that their cloud-based server had been compromised and that the scrambled (hashed+salted) passwords may have been compromised. They advised their customers to change their passwords and enable 2FA. Ubiquiti is one of the most significant IoT vendors today.
Also, in January 2021, MeetMindful.com was breached. The breach included passwords and a lot of sensitive information like people’s names, dating preferences, and marital status. Passwords need to be changed here if you have an account. Enabling 2FA does not appear possible, but you can login with your Facebook account. Facebook does offer 2FA, which means it is probably more secure than MeetMindful. (Hard to say Facebook is secure, but their authentication process is better than many like MeetMindful.)
There are many other examples of password breaches. Every time this happens, you need to change your password, but you may not know about it until months or years after the breach. It is best to enable a second factor of authentication anywhere you can: Facebook, Microsoft365, Google, Amazon, etc.
Unfortunately, the most common option that I see in the US is NOT recommended by NIST; a one-time password/code sent to your phone by SMS/text message. It is better than just a password, so you should use it if that is the only option.
A better choice would be the free apps from companies like Google. There is the Google authenticator, Microsoft authenticator, Okta Verify, LastPass Authenticator, and more. Often, you can use the one you prefer; I prefer the Google authenticator. When you enable 2FA, you aim your cell phone camera at the QR code on the screen, and it will complete the setup for you.
Turn on 2FA on all of your personal accounts. At the office, it should be considered for all accounts by security personnel and managers.
Contact us to learn more about how our crowdsourced security platform can help you safeguard your rapidly growing business from malicious threats and vulnerabilities.