With all the information about security breaches in the news, many of our clients at ITeck ask, “What is an easy way to increase our security, prevent us from getting hacked and keep our data secure?”
One of the easiest and most user-friendly ways to protect yourself, your company and your information is probably something most users are already doing with their personal financial information, Multi-factor Authentication.
Multi-factor Authentication, which includes two-step authentication or verification, is a method in which after entering your username and password the system you are accessing reaches out via a pre-configured method to confirm you are trying to log in. For example, after entering your username and password for a given website or application, you receive a text message with a code to enter, confirming your identity and login.
There are many different options users can choose from for Multi-factor Authentication. For instance, Microsoft Office 365 offers,
- Receiving a text message with a code,
- Receiving a phone call from an automated system, or
- Using an app on your cell phone to provide the additional authentication.
Of these three options, perhaps the easiest method is to enter your cell phone number and receive a text message. This is the option chosen by many ITeck clients.
When users don’t want their personal cell phone to be tied to work accounts, you can use the phone call method to dial your work phones. But be warned when using this method that if you do not have a direct dial phone, the authentication call won’t reach you. Instead, whomever answers the call will only hear that Microsoft is calling to authenticate the login and to press a button to confirm the login. If someone else answers the call then you shouldn’t be authenticated, because you should never confirm a login you aren’t personally trying to do. You should only use the phone call option for a direct dial phone line that you have access to in multiple locations. If you set this up for your desk phone at work but try to login through a webpage at home to check your email, it will call your desk phone and if you can’t answer it you won’t be able to access your login.
Using an authentication app is easy but requires setting up the app on your phone. Once downloaded and configured, you will receive a notification in the app when you log in. The app will ask you to press a button to confirm the login and you will be authenticated.
This extra authentication helps protect your account from being compromised. If you receive a text, phone call, or app alert when you aren’t trying to login then you should immediately notify your security team and change your password. You will only receive these messages if you or someone else has correctly entered your username and password – a sign that your password has already been compromised.
“But I don’t want to enter a code every time my Outlook opens” is something we often hear from users before implementing Multi-factor Authentication. However, the good news is that with modern authentication protocols in most applications, after authenticating once you won’t have to go through the multi-step process again if you are using your application continuously for up to 90 days. You will have to re-authenticate if:
- You sign out of an application like Microsoft Office within the application itself.
- You don’t login for 14 days on a given device.
- You change your password.
For applications that don’t support Multi-factor Authentication you can use App Passwords to bypass the need for multi-factor confirmation. App Passwords are application specific and provide additional security while bypassing the need for Multi-Factor Authentication. These passwords are generated for you, cannot be changed, and do not expire. With this approach to Multi-factor Authentication you can also choose to apply this extra security measure to specific applications that contain high-value or important information.
When you create an App Password you can specify a name and then Microsoft or the application you’re trying to secure (including Gmail and Google products and Apple third-party applications) will present to you a randomly generated App Password. Copy and paste the password or manually enter it into your application. You will only be able to view the password at this time on this screen. After you close the window you can only delete the password. To view the password, you will have to create a new one. App Passwords do not expire like normal passwords, so you shouldn’t have to re-enter the password unless there is an error.
Here at ITeck, we believe that Multi-factor Authentication is an important and easy step to help secure and protect your accounts from unauthorized access. Many people have used Multi-factor Authentication, making it is easy to integrate into your current practices and work flow.
However, Multi-factor Authentication is not the silver bullet to your password and user security problems. (Hint: there is no silver bullet. Digital security is a complex and ever-evolving challenge!)
Many multi-factor authentication technologies don’t securely and specifically notify you about what you’re being asked to approve, so it can be easy to distractedly approve a request that is in fact not your login attempt. In addition, because this extra layer of security is often applied to valuable data an information, it means that it can more often be targeted for attack. And, third-party authentication through either a token or SMS can depend on the security of that third-party provider.
The take-away? Multi-factor Authentication is an important and relatively straightforward step that you can take to improve the security of your online accounts and those of users within your company. However, it is a first step only and should be a part of a more comprehensive digital security strategy to secure your data and information that’s stored in the cloud. Check back here where we’ll highlight some additional digital security protocols to consider over the next several weeks!