MFA? Master of Fine Arts degree? 

Nope! Multi-Factor Authorization.  (Much cheaper and arguably more useful, ha.)

In Bad Passwords Part 1 and Part 2, we talked about bad passwords and better passwords – what if I told you there is a way to make those better passwords EVEN BETTER, and that is by adding an extra layer of protection: Multi-Factor Authorization.

Also known as Two-Factor Authorization, or 2FA, MFA is a second layer of security, so even if someone does get past your password, there is another barrier to stop them getting into your account. Like opening a safe to find another, smaller safe inside.

How does it work?

MFA is getting more widely adopted, and you may have been using a form of it already on some of your online accounts.  Basically, after accepting your username and password, MFA requires the user to present a second form of identification, which usually takes one of the following forms:

• Something you know  – Such as secondary passwords or pre-established answers to questions. (More about this later.)
• Something you have  – This method uses something you have to generate or receive a short-term, single-use only PIN number.  In some highly secure systems, this could be a piece of small proprietary hardware like a smart card, a special key fob, or USB drive. More common are the systems that send you a text, call, or email with your PIN number, with the idea that an intruder probably doesn’t also have access to your phone. These token PINs can be used only once and are voided immediately after use, so even if that message is intercepted, the attacker will not be able to use the information again to access your account.
• Something you are  – This uses biometric identification to make sure you are you. It can include scanning of eyes or fingerprints, other facial recognition, and voice recognition. Many modern smartphones use this to unlock the phones, through facial or fingerprint scanning.

If you are able to use MFA on your accounts, DO IT!  The extra security is well worth the extra steps to set it up… with one small caveat:  the Security Questions.  You’ve seen them before, questions you answer when you setup a new account, for verification in case you forget your password. Usually things like : “What was your high school mascot?” or “What is your mother’s maiden name?”  Now they are very necessary – you need to be able to reset passwords! But, they can be a weak spot.  Think about how long it would take you to answer those two questions about one of your coworkers – whether just through conversation, or a look at their Facebook page – the sort of information those questions usually ask is not always secret or hard to find.   

So what do you do?  Don’t answer them correctly!  Think of them as a secondary password, and choose an answer that is memorable, but inexact.  Think about what information someone else could learn about you, and be sure not to let them use it against you in security questions.

Want to learn more about MFA? Check out CISA’s Secuity Tip: Supplementing Passwords.