Redux: Is a Password Enough to Keep Your Sensitive Information Safe?
Are you using two factor/multi-factor authentication (2FA/MFA)? You should be! Passwords alone are not enough anymore to thwart motivated hackers from accessing your accounts. MFA adds strength to your passwords by using something you know (your username/password) and something you have. However, as we get more sophisticated so do the bad guys. What are today’s best practices?
For the uninitiated, MFA is a way to add additional security beyond a username and password to access web-based applications, software, and even hardware. Ostensibly it would thwart anyone with your password and username from getting into your account or device. You can turn on two factor authentication in many online accounts by going into your privacy and security settings.
The basic principle is that to gain access to the resource there is something you know – username, password – and something that you have. There are four primary ways to add MFA. One is a Time-Based One Time Password (TOTP) code created by an app or password manager. Another is a key fob or token, a physical device plugged into your computer or connected using your smartphone’s NFC or Bluetooth signals. Most familiar is the use of a text message (SMS) to create a TOTP code. Sometimes there may be an option to use something that you are, usually biometrics like fingerprints or facial recognition. The “something that you are” is often used to gain access to hardware like an iPhone or computer with a fingerprint reader.
Text Message as a Second Factor
It has become apparent that it is possible for a hacker to intercept the SMS code if they can access your phone, often accomplished by convincing your provider you have a new phone and to activate it, or other technical means that exploit flaws in the 2FA systems. Due to SIM swapping and other issues (like re-routing text messages) it is no longer a best practice to use a numeric code sent via text to your mobile phone. However, some services provide no other option for MFA than to receive a code via SMS. This is problematic, not only for the reduced security value but it puts firms in a position to rely on staff devices and personal cell numbers as the second factor.
Jim Calloway makes the intriguing suggestion to get a Google Voice number if a service you subscribe to only offers SMS MFA. Since Google accounts can be secured with MFA this is possibly more secure than the mobile network. Or, if your firm has a VoIP system with text options, with more security than a regular SMS that might be worth considering. For personal use, an unpublished Google Voice number is a better option since your mobile number is often used as your primary home number, thus widely distributed and available.
Authenticators
Third-party authenticators like Google Authenticator, Microsoft Authenticator, or Duo Mobile are a better option than SMS for MFA. These authenticators are apps that are installed on your smartphone and/or as a browser extension and provide a single use and timed code to access the protected accounts. To enable the authenticator the first time you generally display a QR code and take a picture of your screen after you install the app, or enter a code displayed during the set up.
Many password managers have authenticators as well. Many of the popular password managers, including 1Password and Dashlane, have authenticators. Some password managers, like Keeper, have integrated authenticators built into product so when you login it fills the username and password, as well as the TOTD code.
Tokens or Fobs
A more impenetrable way to use two factor authentication is to use a physical device (something you have) instead of a code sent through SMS. Market leaders include Yubico, Feitian MultiPass, NitroKey, and OnlyKey. Tech companies such as Google and Facebook now use Yubico’s YubiKey. The devices work with computers by requiring a USB fob or for phones using the phone’s NFC (near field communication) signal, which is available on Android devices and iOS 11. Simply insert or tap the fob to provide a second factor of authentication to thwart the potential failures of the SMS code. These devices range from $20 – $60 individually and are available for deployment for a firm.
Conclusion
In 2017 the NIST best practices suggested avoiding SMS as an authentication method and that users should require an authentication refresh at least every 30 days. Don’t trust your devices forever, but force a authentication refresh periodically. Even if you have an authenticator app on your mobile device instead of using SMS you need to have your phone screen locked, and your phone encrypted. To protect sensitive information held in online accounts consider ways to reduce exposure from password exploits and add another layer of security through MFA.