Authentication to protect your accounts
One of the greatest threats against your personal security is an attacker taking control of an online account. With it, a threat actor can do all sorts of nefarious deeds in your name, and if they get control of your email account, they can use password recovery features to control even more of your accounts. Fortunately, multi-factor authentication (MFA) can protect against account takeovers.
What is multi-factor authentication (MFA)?
You are probably likely familiar with the username and password authentication method. However, passwords have several problems. Humans aren’t the best at remembering passwords and are even worse at picking unique, complex passwords that can stand up to attacks. What’s more, people tend to reuse passwords, meaning that if one account is compromised, all the other accounts with the same password are also at risk.
Multi-factor authentication, sometimes known as two-factor authentication or 2FA, seeks to change that by using more than one authentication factor. That doesn’t mean a second password, but at least any two from a list of three possible factors:
- Something you know
- Something you have
- Something you are
Something you know is typically a password. It lives in your head and is ideally known only to you. Something you have could be a USB security key or an authenticator app on your phone. It’s something that isn’t easy for a stranger to access or obtain. Finally, something you are is a physical characteristic that can be read with a biometric scan – such as a fingerprint scan or facial recognition.
Because it’s extremely unlikely an attacker will have more than one of these forms of authentication, MFA makes it much harder for threat actors to take over accounts. For example, when Google required their employees to use hardware MFA keys, account takeovers effectively vanished.
MFA has become a mainstay of the security industry over the past decade. The first generation of MFA commonly used a one-time authentication code sent over SMS. So, if you’ve ever had to input a one-time password (typically a series of six or eight numbers) then you’ve used MFA without knowing it.
SMS-based one-time passwords (OTPs): where you log in with your username and password, and you're sent a 6 to 8-digit one-time password (OTP) that's different every time.
Hardware one-time password (OTP) tokens: hardware-based devices are usually in the form of a dongle on your keyring, smart card, or USB key. These devices generate one-time codes based on a cryptographic key stored inside the device.
Choosing the best multi-factor authentication for your business
When shopping for a USB security key, you should look for FIDO U2F certification, which means it should work with most basic security key applications.
FIDO2/Web Authentication (WebAuthn) is the future-proof next-generation standard that can support additional types of authentication. If you want to use a device for biometric MFA or passwordless login, you’ll need FIDO2/WebAuthn.
Contact us by filling out the form below
We are a Zero Trust consultancy.
Our Zero Trust Solutions consultants can help you choose the right multi-factor authentication type for your business. We factor in many concerns, including:
- How the MFA will help with your passwordless and your Zero Trust journey
- Accessibility concerns across your organisation
- An end-to-end lifecycle process to account for loss, upgrades and stolen devices.