More than a Password

Ever worry about getting hacked? Same…

Your password isn’t protecting you the way you think it is. Especially if someone can guess your password from looking at your social media. But let’s say you have a complex password – or a password manager even – unfortunately malicious cyber actors still have ways to get past your password. And once they’re in your accounts… you can wave bye-bye to your money, and possibly your identity.

So, what do you need? More than a Password! A second method to verify your identity.

Multifactor authentication (MFA) can make you much more secure. Taking the extra step beyond just a password can protect your business, online purchases, bank accounts, and even your identity from potential hackers.

Different ways to say MFA:

• Multifactor Authentication
• Two Step Authentication
• 2-Step Verification
• Two Factor Authentication
• 2FA

What is Multifactor Authentication?

Prove it’s you with two! … Two step authentication, that is. 

MFA is a layered approach to securing your online accounts and the data they contain. When you enable MFA in your online services (like email), you must provide a combination of two or more authenticators to verify your identity before the service grants you access. Using MFA protects your account more than just using a username and password.  

Users who enable MFA are significantly less likely to get hacked. Why? Because even if a malicious cyber actor compromises one factor (like your password), they will be unable to meet the second authentication requirement, which ultimately stops them from gaining access to your accounts.

Online services want to make sure you are who you say you are, and—more importantly—they want to prevent unauthorized individuals from accessing your account and data. So, they are taking a step to double check. Instead of asking you just for something you know (e.g., a password)—which can be reused, more easily cracked, or stolen—they can verify it’s you by asking for another piece of information:

Why Should My Organization Enable MFA?

Implementing MFA makes it more difficult for a threat actor to gain access to information systems—such as remote access technology, email, and billing systems—even if passwords are compromised through phishing attacks or other means.

Malicious cyber actors are increasingly capable of phishing or harvesting passwords to gain unauthorized access. They take advantage of passwords you reused on other systems. MFA adds a strong protection against account takeover by greatly increasing the level of difficulty for bad actors.

Are you an organization that needs help getting started implementing MFA? 

What Else Should I Know About MFA?

Not all MFA methods gives you the same level of protection. Some MFA types are better than others—phishing-resistant MFA is the standard all industry leaders should strive for, but any MFA is better than no MFA. You should still strive to implement stronger MFA to avoid being hacked.

• The only widely available phishing-resistant authentication is FIDO/WebAuthn authentication. CISA urges all organizations to start planning a move to FIDO because when a malicious cyber actor tricks a user into logging into a fake website, the FIDO protocol will block the attempt. See CISA Fact Sheet Implementing Phishing-Resistant MFA, CISAJen’s blogpost Next Level MFA: FIDO authentication, and the Fido Alliance’s How Fido Works for more information.
• If you can’t currently implement phishing-resistant MFA, consider using numbers matching MFA to block mobile push bombardment and SMS-based attacks. See CISA Fact Sheet Implementing Number Matching in MFA Applications for more information.

For additional information on recommended forms of MFA, see CISA’s MFA hierarchy graphic, which sorts all the MFA types into tiers (strongest to weak).