You avoid password sticky notes, and phishing scams like they are the plague. You are paranoid, but well informed. If you have been keeping up with recent posts, you already know how to either generate or create secure and memorable passwords. However, your vast powers of technical ability and common sense will inevitably fail you.
Data breaches often occur from factors that are beyond any one user’s control. Companies may use an insecure cryptographic algorithm, have poor password management practices, or have an admin account on an unlocked desktop in the corporate office, with the password on a sticky note, just “in case.” In all of these scenarios, it does not matter how secure your particular passwords are if the organization storing your information ever drops the ball.
This is where Two-factor authentication (2FA) comes in. Two-factor authentication ensures that the user has two methods of proving identification for account access. There are three widely accepted forms of identification online. The first is something the user knows, like a password, passphrase or PIN, the second requires something that only the user has access to, like a mobile device or a token, and the third is something that is unique to the user themselves, like a fingerprint. Two-factor authentication requires any two of these methods. That way, if a password is compromised, account access will still be restricted.
Let’s say, for example, that your account at example.com was compromised 3 hrs ago. This is more than enough time to allow you and 3 million other users to have your password or password hashes stored and distributed online. If you used the same password, or simple variations of it throughout multiple sites. The attackers can access email, social media, government, and banking accounts.
Multi-factor Authentication systems (MFAs) require more than one factor of authentication to prove identity. They tend to use a combination of Security Tokens, Soft tokens, GPS, and biometric data. Security Tokens consist of physical things that are used for ID, such as key fobs and ID Badges. Soft Tokens are rotated through software that can create single use PINs to identify users, this is often done in smartphones through an authentication app. Location data may also be used for authentication. If you access your checking account from New York, it is impossible for you to access it in Nigeria twenty minutes later unless you have a portal gun. Biometric data consist of any feature that relates to your physical body.
So, back to the example.com scenario; Your attackers have access to your password, but if you enable MFA, the attacker must now acquire or monitor your cellphone, be within a certain radius of your last recorded access location, and have your fingerprint. Unless you are truly a high profile target, attackers will move on to someone else.
Enabling MFA is now easier than ever! Companies like Google enable a form of 2FA by default and many other organizations like Facebook, Microsoft, Amazon, Discord and GitHub allow MFA through their account settings. Once you have enabled MFA, you should be able to choose between receiving an SMS or generating a temporary PIN by using authentication apps like Google Authenticator, LastPass Authenticator, Authy, or Duo Security.
So what are you waiting for? Enable MFA and tell cybercriminals “You shall not pass!”