Recently, I wrote about how attackers often target a user’s username and password to gain access to sensitive information. Indeed, by simply getting access to the login credentials, the attacker will have access to the user’s account. Think about it like a physical safe. The combination protects the contents by keeping anyone that does not have the combination out. The combination is the single barrier at protecting the contents. Yes, usernames and passwords are this important. Check out the article on usernames and passwords here.
Protect against compromise
As we have discussed, the combination is very important. What would we do though, if someone has the combination? Is there a way to protect against that? The good news is yes, there is. Enter MFA, or Multifactor Authentication. Simply put, MFA is an additional layer of security, which must be passed before access is granted. Going back to our safe example, an additional combination would have to be entered after the original combination. The trick is that this second combination would have to be entered from a token, which generates a random set of numbers every 30 seconds. You see, MFA has to be something that only the user knows, has, or is.
Let us follow this safe example all the way through. Joe wants access to his safe to get his sensitive documents. Joe enters in his combination, and is prompted by the safe to enter a second combination. This time, the second combination comes for a token that Joe carries on his car keys. This token generates a random 6-digit combination every 30 seconds. In order to open the safe, Joe must enter this 6-digit combination before it changes. In order for this to work, the safe and the token must have been talking to each other to know that the 6 digit combination of numbers Joe sees, is valid. In 30 seconds, Joe will see a new set of numbers, and again the safe knows that this new set of numbers is valid.
Another example of this key token could be a key-fob; or a device that Joe could swipe on the safe door. Again, following the safe example, Joe would simply enter in his combination to the safe, then take his car keys out, and swipe the key-fob he carries on the key-fob reader. After swiping the key-fob, Joe can now open his safe.
In both of these examples, Joe knows the safe combination, but must also present something he has – either the additional combination, or the key-fob. If someone else had the safe combination but not the additional combination or key-fob, they would not be able to open the safe. It is this benefit, which makes MFA so strong against protecting your account: no one else but Joe has all of the necessary items to open the safe.
In a digital sense, with usernames and passwords, the concepts are the same. Joe knows his username and password, but must also present something “extra”. This “extra” could again be a key-fob, a token, or a mobile app push notification. The likelihood that someone other than Joe would have both of these items, the password and the “extra”, are low. In fact, Microsoft, as reported by Forbes, found in a 2019 report, “[…] 99.9% of identity attacks could have been thwarted by turning on MFA.” In this report, Microsoft found that some 44 million usernames and passwords were exposed, but if those exposed accounts had MFA turned on, the attacker would need to know that extra requirement as well to access that account. Indeed, MFA is that strong of a control.
In closing, consider turning on MFA for all of your online accounts, where applicable. MFA is quick and easy to turn on and there are plenty of online instructions and tutorials to walk through this process. Your personal email account is a good first place to start. All of the popular online email providers make it easy to do this. Take a small step towards increased security, and turn on MFA.
Wilson Bank and Trust is here for you. Should you need help, please do not hesitate to reach out to us online at wilsonbank.com, our mobile app, or call us at (844) WBT-BANK (844-928-2265).
Have another thought, tip or suggestion? Leave it in the comments below. I would love to hear from you!