Passwords are frustrating.
It can seem hard to catch a break between complexity requirements, forced expiration periods and the sheer number of passwords that need to be remembered these days. After all, everything needs an account, and every account brings with it yet another password. Theoretically, each account should have its own password, but for most people, this is not the case. Yes, even technically inclined people who should know better are guilty of reusing passwords. The biggest security risk associated with this is that having one username and password combination compromised can lead to multiple accounts being breached.
There are a few ways to combat this problem. First, use different, complex passwords for each account (but good luck remembering more than one strong password such as this: qXq!U76w). Another method involves using a password manager to help keep track of those numerous complex passwords, but the password manager itself is still protected by a password you need to remember.
Multi-factor authentication can alleviate some of the issues related to weak or reused passwords, but does not completely remove them.
Authentication is the process of verifying that you are who you say you are. Generally, there are three ways of verifying an account:
- Something you know
- Something you have
- Something you are
Most people use the “Something you know” method of authentication on a daily basis, which requires the user to provide a password, a PIN or the answer to a security question. Generally, these are supposed to be unique to the account and be something only the account holder should know. Passwords, PINs and security questions should be hard to guess and not known by anyone other than the account holder.
Authentication through “Something you have” isn’t as common, but is becoming more well-known with the explosion of smartphones. Whenever you receive a confirmation number through a text message or use something like the Google Authenticator app, you are being authenticated through something you have. Older but still somewhat common versions of this are RSA tokens (key fobs that generate unique numeric codes) and smart cards.
Biometric authentication falls under “Something you are.” Historically, this method has been rare and regulated to higher-security locations with the budget to afford the required devices. Biometric authentication methods include fingerprints (which are becoming more common due to the addition of fingerprint readers on smartphones), retinal scans, facial recognition and even blood vessel pattern recognition. Provided the devices that do this type of verification are properly secure, biometric authentication is one of the most difficult authentication methods for someone to maliciously bypass due to the difficulty of impersonating someone on a biologic level.
Multi-factor authentication (also known as MFA, and sometimes referred to as 2FA for “two-factor authentication”) uses a combination of the three methods outlined above to verify a person’s identity. With MFA, someone who has your username and password will not be able to log into your accounts without the supplemental authentication. Many services are beginning to offer multiple authentication methods as these greatly increase the security of an account. Unfortunately, in many cases, MFA must be enabled after account creation and is not activated by default. Most major services such as Office 365, Gmail, Facebook, Twitter and even Windows (through some third-party apps) can support some form of MFA, whether this involves sending a code via text or to a verified email account or generating a code in an app on the user’s smartphone.
In some cases, MFA can also serve as a notification that an account’s password has been compromised. An authentication text/email or a special alert can let the account holder know that a login attempt was made with the correct username and password. This kind of notification should prompt a user to change the account credentials to re-secure the account, preferably not by clicking on links in an email that they were not expecting to receive.
MFA is a great way to add an extra layer of security between applications and services without making major changes to your workflow. While it may sometimes be inconvenient to wait for a code to be sent to you, imagine how much more difficult it would be to deal with the repercussions of an unauthorized person gaining access to your accounts due to an absent second layer of login security.