Articles

Cyber security information, guides and research

Understanding Multi-Factor Authentication

MFA is a method of granting a legitimate user access to a website, computer, device, etc. after presenting several pieces of evidence to an authentication system. Multi-factor authentication adds an important security layer, thus reducing the possibilities of a security breach.

The most common authentication factor is... a regular password. We encourage people to use strong passwords, because they will give hackers a hard time. However, even the strongest password will be useless if cyber criminals manage to install a keyboard logger application in a computer, or if the online provider which stores the passwords for your company's accounts gets hacked.

To increase security levels, be sure to add at least one of these additional authentication factors: SMS codes, apps, software or hardware tokens. With SMS or authenticator apps for mobile devices, the user will be asked to enter its username/password combination and a numeric code that will be sent to his/her smartphone. Since that number is generated randomly every time, hackers will not be able to log into your accounts so easy.

Actually, SMS-based authentication can be beaten as well. A cyber villain can call your mobile provider, claiming to be you and convincing their tech support team that somebody stole your phone, so you need to get a new SIM card right away. Then, once that they have gotten access to your new SIM, it will be really easy for hackers to intercept any one-time login code. Others work on a much larger scale, though, setting up fake cell towers, also known as "stingrays", which can intercept your numeric codes as they fly through the air. And SMS-based codes may not be the ideal solution for people who frequently travel to other countries.

Authenticator apps, such as Google Authenticator and Microsoft Authenticator, are somewhat stronger. I mean, they could be MUCH stronger, but some nefarious applications may be able to capture screen shots of those codes, and then email them to hackers in real time. This doesn't mean that you should discard SMS-based and app-based authentication, though; they are much better than having nothing in place.

For security-conscious people and companies, hardware tokens are by far the best solution. These USB security keys generate the required codes locally, thus helping people stay safe and saving them time. We prefer to use the YubiKey, which is inexpensive and provides support for one-time passwords, the U2F and FIDO2 security protocols, and more.

Additionally, YubiKey can store the needed passwords in its built-in memory, and integrates with the most common password managers nicely. Just plug in the key into one of the available USB ports, and it will be detected as a USB keyboard. Then, whenever you are prompted to input your one-time password, tap its capacitive "button". Since each Yubikey has a unique AES key, it is much safer in comparison with other security mechanisms (provided that its maker's servers don't get hacked, of course).

One more thing: villains will try to log into all your accounts by making use of a compromised password. So, make sure to use different passwords that are hard to guess for each account. Of course, if you need to remember lots of complex username/password combinations, it makes sense to store them all using a strong password manager, and then set a hard to guess master password. Don't forget to write down that pass in a notebook; otherwise, if you forget it, you won't be able to recover any password from your list.

Pick a password manager application which has been built by a company that hasn't had its servers hacked in the past. To minimize risks, we recommend purchasing a standalone application, which will store the data locally, rather than relying on a cloud-based service.