Why passwords alone will not protect you

Of all the security issues that you need to grapple with when working with your clients, what is the one that keeps you awake at night?

If you were to ask ten different technology service providers this question, do not expect ten different answers.  I can almost guarantee poor passwords practices would be the overwhelming response.

  • Hands up if you have ever done one of the following?
  • Used the same password on different services?
  • Given your password to someone?
  • Texted or emailed your password to someone?
  • Used a password that wouldn’t pass any pub test (unlocking your iPad with 555555)?
  • Written down your password on a piece of paper for quick reference

Okay, yes me too. Not for a long time, but I have been guilty. All the above are prime examples of NOT what to do with passwords. They are also good examples of what is wrong with just relying on a username and password.

We are all creatures of habit and habits are hard to break – when it comes to password security, most people only break that habit the day they are hacked.

Multifactor Authentication (MFA) technologyis a frontline defence weapon against hacking, phishing, spyware and intellectual property & identity theft.

It is also known as Two Factor Authentication(2FA), the current preferred term is MFA.

In this first part of a multi-part series we will discuss what MFA is, and why Intellect IT recommends your organisation implements it.

Six things you need to know about MFA:

  1. What is MFA?
  2. Why should you use MFA?
  3. Your behaviour matters
  4. Basic MFA is better than no MFA
  5. If a vendor offers it, use it
  6. Not just for work

 

1. What is MFA?

MFA/2FA is best described as the process whereby you can only be granted access to a site or service by passing more than one test of identity verification. Typically, it is two tests. Each test uses separate technologies.

Tech commentators distinguish the difference between the two as follows:

Primary test: 
Something you know such as your user ID & password

Secondary test:
Something you have such as a unique code on your mobile phone or security token

 

2. Why should you use MFA?

The Australian Government’s Cyber Security Centre (ACSC) conducted a recent survey of Australian small business. They found that 72 per cent of businesses that had previously experienced a cyber incident, thought it likely or almost certain to experience another one in future.

In another study conducted by IBM, they found that 95% of all successful cyber attacks are caused by human behaviour.

As we have highlighted above. Passwords are simply not good enough.

The ACSC produce a list of eight cyber security guidelines known as the Essential Eight. By implementing these eight key guidelines, businesses can reduce the risk of a cyber security related incident dramatically. MFA is regarded as one of the key pillars of the Essential Eight. So, don’t take our word for it. Follow the advice of the country’s top security experts.

 

3. Your behaviour matters

Good work habits are your frontline form of defence against cyber threats.

Good work habits combined with strict adherence to MFA is a winning combination. MFA should not be optional. Nor should occasional use of MFA be an option.

Just as you would not disclose your password to a colleague, nor should you let your secondary form of authentication out of your sight. Your mobile phone, your token, dongle or key should stay with you all the time.

 

4. You have probably already adopted MFA and not known it

Hollywood has been obsessed with MFA for decades. Does this sound familiar? The spy enters a highly classified military base using a dodgily-acquired swipe card with a magnetic strip. She then proceeds to her target only to be confronted by a retina scan security check. Yep MFA.

Or what about something more relatable. Domestic Flights (remember them?) these days are about self-check in. You purchase your ticket online and provide a driver’s license as identity verification. At the airport, you navigate through the horrible security checks and as you are about to board the plane, the flight attendant holds up your boarding pass AND your license to your face to verify that you are who you say you are…MFA again.

Have you ever been pinged with a unique code via a SMS from your bank that you need to use to validate a one-off bank transfer? Whilst SMS is a weak form of MFA (SMS is not an end to end encrypted technology) it is infinitely better than not using MFA at all.

 

5. If a vendor offers it, then use it!

In part two of this series, we will discuss enterprise-grade MFA solutions, but as a rule, if a vendor offers MFA, then our recommendation is that you use it. Simple as that.

Multifactor Authentication within the Federal Government's myGovID application.

Image: Government bodies have been leaders in MFA. The Australian Federal Government’s myGovID is a good example in the use of a smart phone app as a second form of authentication. On the left, A browser request to access the ATO portal generates a 4 digit code to be entered on a mobile phone.

 

6. Not just for work

A good way to form good habits at work, is to start at home. For your organisation, the information you use to populate a spreadsheet is as valuable to it as your driver’s license number is to you.

Facebook, LinkedIn, Twitter, Instagram all offer MFA as an option. Use it. 

The best way to think of about MFA at home is that your personal information, nor the information of your family and friends is not for sale. Identity theft is real. Each of these services provide good support articles/videos on how to turn MFA on.

 

Coming up: Part 2.  MFA for the enterpriseIn part two of this series, we will examine enterprise grade solutions for MFA. In the meantime, if you have any queries on any of the things we have discussed here, do not hesitate to get in touch with our office.

Posted on