We’ve relied on usernames and passwords to log into websites and online services for many years. It has been the default method of ensuring that only you, the owner of the account, have access to the data and information that you need.
Unfortunately, cybercriminals have increasingly found the value of obtaining login details. Also, it isn’t just financial institutions that are prime targets – everyone is vulnerable.
Multifactor Authentication (MFA) offers an additional layer of user authentication to help prevent unauthorised access to users accounts. Let me explain how they do it, and how you can enable Multifactor Authentication (MFA) on your accounts.
How do Cybercriminals access users’ accounts?
- Brute Force Attacks – if the cybercriminal knows an email address that is used to access an account, they will try to log in to one or many other websites with that email address with multiple passwords. If a user has a weak password, such as “password123”, or “letmein”, then the account is more at risk to this type of attack. This is because cybercriminals use weak passwords first in an attempt to gain access to the account.
- Social Engineering – cybercriminals may approach a user directly posing as a company or an organisation to ‘trick’ them into handing over their login details. A popular approach is to create a ‘copycat’ website that looks like the company or organisation they are pretending to be, and ask the user to log in there. The user then inadvertently hands the cybercriminals their login details which they will then use on multiple websites.
- Compromised websites – the security of some websites is so poor that cybercriminals are able to gain access to users’ accounts and data by gaining access to the websites’ files or database. Thankfully many companies and organisations are increasingly aware of how to secure a website, and so this kind of attack is less common than it was. But cybersecurity is an ongoing and ever-changing threat and so this should not be discounted.
When a cybercriminal has a username and password, they will try to use it against various websites. Sadly, sometimes they are successful in gaining access to an account. From there, they are able to access any data that is available to the user, including personal details such as name, address and possibly payment details.
To combat unauthorised access, services have been offering Multi Factor Authentication (MFA), or 2FA as it is sometimes known as. MFA is a secondary layer of authentication.
How MFA Works
- The user logs into a website by typing in a username or email address, and a password.
- The website sends a notification to ‘confirm’ this login. The user will not be able to log in without this confirmation.
- If the user ‘confirms’ the login, the login is successful and the user logs in. If the user doesn’t, then the login fails.
In MFA’s early conception, websites would send you an email to confirm if it is you who is logging in. You would confirm this by clicking on a link or typing a code in. While this was a great step towards protecting your account, what if the hacker had access to your emails too?
Smartphones were the answer to address this problem. Most of us carry our mobiles around with us. If we don’t, it’s never too far away (unless you are like me and you end up leaving it at home, or in the car, but that is another story).
A smartphone can allow you to receive a notification using one of the following methods:
- SMS / Text – a user can receive an SMS or Text message with a code which they then use to log in. This is the easiest, most accessible way for all users to be able to use MFA. Many online services offer this for free, Twitter being a notable exception.
- Phone call – some services offer users to receive a phone call instead as confirmation that they are logging into a website. The phone call will often be automated, and will read out a code which you then use to log in.
- Authenticator App – the best way of using MFA is via an Authenticator App. Both Google and Microsoft offer their own Authenticator App, but both offer the same features. An Authenticator App takes a little time setup – you need to add each website you want to enable MFA for into the App. But instead of receiving an SMS or a phone call, you simply add the code that the Authenticator App tells you to enter.
MFA has become so successful in reducing unauthorized access, that Microsoft have even hinted at getting rid of usernames and passwords altogether, and solely relying on smartphones to approve logins.
Why does MFA work?
Let us use an example.
A hacker obtains Mr John Doe’s email address and password to access his bank account online, via the bank’s website. John doesn’t know this. The cybercriminal tries to login. The login works, but the cybercriminal can’t get any further – that is because the website is asking him to “check his authenticator app” for a code. The hacker does not have John’s phone, so he doesn’t have the code. Meanwhile, John, sat outside a café enjoying a coffee, gets a notification on his phone, asking him to confirm his login. But John isn’t trying to login, which leads him to believe someone else is. He denies access using his app. The cybercriminal can’t login, and his account is safe. If John hadn’t had MFA enabled, then the cybercriminal may have been able to login.
The one downside to MFA is, if you don’t have your smartphone with you, you won’t be able to log in. However, some services can recognize the IP address you are logging in from and therefore bypass MFA. Some, like Office365, even ask if this is a device you log in often from and ask if you want to bypass MFA for up to 365 days.
What to do next
- Decide what MFA process you would prefer to use – Email, SMS, Phone call or Authenticator App.
- Check the websites you use to see if they offer MFA, starting with those that store personal and/or financial data. If they do offer MFA, enable it.
- Follow the instructions the website is providing for the method of MFA you have chosen.
- If you are a business and use services such as Office365, ask your IT or Cloud Service Provider about how to enable MFA on your account.
If you have a smartphone and you want to add another layer of security to your accounts on the internet, MFA does just this – it gives you full control of who can log in to your accounts and when, and it also notifies you when someone is trying to access your account when you are not. Just make sure you have your smartphone close by!
Mat Hasker is a web specialist, gamer, musician and writer