In this day and age, Multi-Factor Authentication (MFA) is must have for any organization that is concerned with the security of its data and assets. For those of you not in the know, MFA is a form of identity authentication requiring one or more forms of authorization in addition to the standard login credentials for things like workstations and applications. For example, you log into your network with your username and password, then another field pops up requesting a 6-digit code be entered to continue. You whip out your phone and run the applicable MFA app, look up the code, and type it in on your workstation. Abracadabra, you are now logged in.
This simple process has added an extremely valuable layer of identity authentication that goes a long way in preventing hackers and such from using your identity to gain access to business and/or personal assets. In other words, when a co-worker walks by your desk everyday and by watching you and looking at sticky notes figures out your login credentials, it won’t help them unless they have access to your phones MFA app as well.
Now I know what some of you may be thinking. This is a bit of a hassle. I get where you are coming from. I use MFA for logging into my workstation, email, and two other business applications. I resisted MFA as long as I possibly could until my employer made it mandatory. It was made mandatory because one of the company executives had their email credentials compromised and a hacker attempted to fool one of his staff via email to transfer funds to a bank account. Fortunately, the staffer did not fall for it. A real estate company an associate of mine works for was not so fortunate. They got scammed out of over $1,000,000. You can bet they wished they were using MFA at the time.
This kind of attack is a form of what is called Phishing. According to the Federal Trade Commission, “Phishing is when a scammer uses fraudulent emails or texts, or copycat websites to get you to share valuable personal information – such as account numbers, Social Security numbers, or your login IDs and passwords. Scammers use your information to steal your money or your identity or both.” The FTC webpage on this offers additional sound advice on how to avoid being a phishing victim. There is a link below.
Depending on what you are logging into, there are three common forms of additional authentication. The first is push notification. This send an authentication request to either your email or phone requesting you approve or deny the request. If using your phone, this is the most convenient method. It also adds the feature of informing you if someone besides you is trying to use your credentials. The 2nd is the 6-digit entry I mentioned previously. The third is typically used if you are offline. The MFA app will present a QR code on the screen that you snap a picture of with your phone MFA app. It then gives you a code to enter. Don’t worry, the hassle factor wears off quickly as you get used to the process.
There are other methods in addition to MFA that you and your organization can deploy to provide a safer online experience that I will cover in subsequent articles. However, MFA is the first step in helping to prevent Phishing fraud. If you aren’t using it, you should start ASAP. To learn more about MFA, contact your 3D/NPI representative.