Welcome to this week’s Tip of the Hat!
Cybersecurity Awareness Month wouldn’t be complete if we didn’t talk about authentication! Traditionally a perennial topic for cybersecurity training, authentication was also in the news last week with the allegation of a well-known security researcher breaking into a presidential candidate’s Twitter account. The researcher, who also broke into the candidate’s account in 2016, was able to break into the account by brute force, trying out possible passwords based on what he knew of the candidate. In both cases, multifactor authentication was not turned on. If the allegation is true, the candidate did not learn from the 2016 hack, leaving his account vulnerable for all these years.
Why is multifactor authentication (MFA) important? The following is an excerpt from our April post on the LITA Blog where we explain what MFA is, why it’s important, and how to implement it alongside other cybersecurity measures!
Multifactor authentication
Our community college district has required access to our LSP, Alma, that requires multi-factor authentication when used through our single sign on provider. Can you talk a little bit about the benefits of multi-factor authentication?
Multifactor authentication, or MFA, is an authentication method that requires at least two out of the three types of items:
- Something you know, like your password
- Something you have, like your phone with an authentication app or like a physical key such as a YubiKey
- Something you are, like your fingerprint, face, voice, or other biometric piece of information
(FYI – More MFA methods are adding location-based information to this list [“Somewhere you are”].)
MFA builds in another layer of protection in the authentication process by requiring more than one item in the above list. People have a tendency to reuse passwords or to use weak passwords for both personal and work accounts. It’s easy to crack into a system when someone reuses a password from an account that was breached and the password data subsequently posted or sold online. When combined with two-factor authentication (2FA), a compromised reused password is less likely to allow access to other systems.
While MFA is more secure than relying solely on your traditional user name and password to access a system, it is not 100% secure. You can crack into a system that uses SMS-based 2FA by intercepting the access code sent by SMS. Authentication apps such as Duo help address this vulnerability in 2FA, but apps are not available for people who do not use smartphones. Nonetheless it’s still worthwhile to enable SMS-based 2FA if it’s the only MFA option for your account.
This all goes to say that you shouldn’t slack on your passwords because you’re relying on additional information to log into your account. Use stronger passwords or passphrases – ideally randomly generated by Diceware – and do not reuse passwords or passphrases. Check out this video by the Electronic Freedom Foundation to learn more about Diceware and how it works. It’s a good way to practice your dice rolls for your next tabletop gaming session!
As a reminder – your security is only as strong as your weakest security practice, so once you have created your password or passphrase, store it in a password manager to better protect both your password and your online security.