Do you know what MFA is? If you answered, “it is the method of granting access to only those who can provide the required combination (multi factors) of information to satisfy the access requirements”, Good for you! [Even if you looked it up]

On the surface, the added effort to get your token generating device and get logged in, especially when you have an urgent task or deadline looming seems like a ginormous pain. But in reality, it is helping to keep us secure and ensuring access is limited to only those with the correct credentials, think trust no one, verify everyone (this process is the very core of, to use buzz words, “Zero Trust”).

Another term for MFA you may have heard is “2FA” or “Two Factor Authentication.” This is a type of MFA where the required multi factors are typically made up of at least two of the following categories:

1. Knowledge (something you know like password, PIN, etc.…),
2. Possession (something you have like a card, token, key, etc.…), and
3. Inherence (something you are, biometrics, typing pattern, etc…).

By now, I’m sure you know that the use of multiple authentication factors to prove your identity is not new (the most common example we have been using for a long time is an ATM. To get cash you need a card (have) and a pin (know) to gain access to your money. There are many different areas where we have data that can be of value to others (PII, account login information, proprietary company information [yes, corporate espionage is real, not just in the movies]). The availability of this data to be accessed remotely increases the need to “up the ante” on data protection; it is now critical (and thankfully, commonplace at work) to require the user, wanting to access this sensitive data, to prove “they are who they say they are.” This is all rooted in the premise that an unauthorized “bad actor” is unlikely to be able to supply all the factors required for access.

You may be asking, “Why are you beating this dead horse, Rob? We have to do it at work, we don’t have a choice!” Point taken…BUT, often we do not think to exercise the same protection on our PERSONAL stuff. I submit for your consideration, that your banking information is very important, as is your identity, and even your online identity (social media, file and photo storage, etc..). Why not protect those too? Is it infallible? No. But…it does require more effort to circumvent for the hacker to gain access. And let’s be honest, hackers are looking for the easy money, not expending a lot of effort for little reward, for the most of us that means by enabling MFA we become less appealing to a hacker (now, if you are a millionaire, you may have moved up their ”is the juice worth the squeeze” checkpoint).

So, in summary, I recommend you consider seeing how you can (with a little personal inconvenience) remove yourself from hacker “low hanging fruit” status and protect your personal data just like you help us protect our corporate data – by using MFA to add another layer of protection.

For more information, check out more about 2FA (note, while that article focus is on Apple, it is the same for Android and Windows) and I’ll continue to keep you abreast of how we are continually evolving to make access more secure (and easier)!

Newsletter by: Rob Collings, ISHPI’s VP of Cybersecurity | CISO

May 1, 2023