In a digital realm where the baddies are always on the lookout for a loophole to sneak through, fortifying our online data and activity is more crucial than ever. This year's Cybersecurity Awareness Month shines a spotlight on the theme "Secure Our World," encouraging internet users to enhance their digital security using four essential principles: Use Strong Passwords, Turn On MFA, Recognize and Report Phishing, and Update Software. Today, we’re zeroing in on the second pillar, "Turn On MFA," to unravel how Multi-Factor Authentication (MFA) is your digital doorman that keeps the uninvited at bay.
We’re living in a time where a single password is like a flimsy lock on a treasure chest. Cyber miscreants have their toolkit brimming with gadgets and gizmos to crack open your digital secrets. MFA adds extra layers of security by demanding more pieces of evidence–or factors–before granting access to your online accounts. It's similar to a security guard who wants more than an ID card, also asks for a fingerprint AND a retina scan. This way, even if a cyber-criminal manages to steal your password, they still have to overcome these additional security checkpoints.
How MFA Works (because everyone loves analogies)
The Concert VIP Pass - Imagine going to a concert with a VIP pass. Your ticket gets you through the main gate, but it's the VIP pass (something you have) AND photo ID (something you are) that gets you into that exclusive backstage area.
The Secure Home - Envision your home. A key (something you have) unlocks the door, but the alarm system also requires a passcode (something you know). If you have a retina scanner installed, that’s the third factor (something you are). And if you have a good dog, that might count as a fourth factor (something you smell?).
The Bank Vault - Think of a bank vault requiring a key (something you have), a code (something you know), and a voice recognition confirmation (something you are) to access the riches inside.
Types of MFA
SMS Verification - A code is sent to your mobile device via SMS, which you then enter on the website or app.
- Pros: Easy to set up, widespread usage.
- Cons: Susceptible to SIM swapping, not the most secure.
Authenticator Apps - Generates time-sensitive codes on your mobile device, which you input for access.
- Pros: More secure than SMS, no need for cellular signal.
- Cons: Initial setup can be cumbersome, reliant on device availability.
Biometric Verification - Uses your fingerprints, face recognition, or other biological attributes for verification.
- Pros: Highly secure, convenient.
- Cons: Hardware dependent, privacy concerns.
Hardware Tokens - Physical device that generates a code or has a button to approve access.
- Pros: Very secure, no internet connection needed.
- Cons: Easy to lose, additional cost.
Passkeys (a new kid on the block)
With digital security evolving, passkeys are emerging as a simpler, yet secure alternative. Recently, Google rolled out passkey support across accounts on all major platforms, heralding a new era of authentication. Unlike traditional passwords, passkeys are built using public-key cryptography, offering a hassle-free, phishing-resistant method to secure your online presence. They work seamlessly across devices, making the authentication process a breeze while keeping the baddies at bay.
FIDO2 Based MFA (this is the way)
In the digital communication realm, there's a myriad of channels facilitating MFA like SMS, email, phone calls, and authenticator apps. However, these conventional mediums have a chink in their armor – they can be hoodwinked by phishing kits like Evilginx mimicking the MFA process. Enter FIDO2, a knight in shining armor, employing a cryptographic key pair securely tucked away on your device, making it a hard nut to crack for hackers. When you attempt to log in, the FIDO2-enabled server tosses a challenge to your device. Your device, armed with a private key, signs the challenge and shoots it back. The server, holding the public key, verifies the response ensuring it originated from your registered device and hasn’t been meddled with. This mechanism falls flat on its face if redirected to a phisher’s lair since the key pair is conjured with the legit FIDO-enabled site, not the fraudster’s.
You can delve deeper into the realm of MFA with a few of our riveting videos that we include with Security Awareness Training (SAT) offering, now available for free in celebration of Cybersecurity Awareness Month.
With every extra factor you employ, you’re putting a sturdier lock on your digital treasure chest, making the cyber baddies work overtime to crack it open. So, heed the call of Cybersecurity Awareness Month, turn on MFA, and take a solid stride towards a safer digital realm!