Why a Strong Password isn’t Enough: Your Guide to Multifactor Authentication
Description
The Bottom Line
Even if you do follow password best practices, cyber adversaries have a growing arsenal of tools and capabilities to crack your passwords and gain unauthorized access to your accounts.
This makes multifactor authentication (MFA) an essential defense against threat actors that might attempt to gain access to your personal device, social media accounts, bank accounts, medical accounts, or any other password-protected information system. Indeed, MFA provides an extra layer of protection so that threat actors do not immediately gain access to your account―and the sensitive information contained within―if they succeed in compromising your password.
The Problem
A strong password is not enough to keep your account safe.
Threat actors have many methods for gaining unauthorized access to accounts that are only protected by one form of authentication, such as your username and password.
Phishing is one common method that threat actors use to steal account credentials. In a phishing attempt, a threat actor might send you a convincing message that contains a link to a fake version of the login page for a popular website to obtain your credentials for that site. If your account is only protected with a password, they may be able to steal all the information they need to log into your account.
If your account is only protected with a password, threat actors can access your account if they have compromised your password.
The Solution
Implement MFA to make it more difficult for a threat actor to access your account.
MFA ensures defense in depth, adding more obstacles for threat actors. When you implement MFA, a threat actor cannot immediately access your account, or another targeted information system, simply by compromising your account credentials.
Types of MFA available
MFA requires users to present some combination of the three main categories:
- Something you know (e.g., a password, PIN code, or security question)
- Something you have (e.g., a software token, physical token, or one-time password)
- Something you are (e.g., biometric data)
Use the strongest option of MFA available to you.
While implementing any form of MFA is better than not implementing MFA at all, here is a ranking of MFA solutions from strongest to weakest:
- Strongest – physical tokens with FIDO Authentication
- Physical tokens
- Biometric authentication
- Software token
- Email one-time passcode
- Weakest – SMS one-time passcode
Whenever possible, select the strongest MFA option available to you.
Consult the manufacturer’s guide to set up your chosen form of MFA. Here are some guides for widely-used physical and software tokens:
Yubico’s security keys are physical tokens that are FIDO compliant. Check out CISA’s Cybersecurity Resources for High-Risk Communities webpage for more information on Yubico’s Secure it Forward program, which makes Yubikeys available to high-risk communities for free. Also, check out Yubico’s Secure it Forward for more information on how YubiKeys work with other resources available to high-risk communities, such as Google’s Advanced Protection Program, Microsoft AccountGuard, and Cloudflare’s Project Galileo program.
Microsoft Authenticator is an example of a software token: Set up the Microsoft Authenticator app as your verification method - Microsoft Support.
Google Authenticator is another common software token: Get verification codes with Google Authenticator - Android - Google Account Help.
Okta Verify is another common software token. See Set up Okta Verify on Android devices | Okta, Okta, Set up Okta Verify on iOS devices | Okta, Get started with Okta Verify on Windows devices | Okta, or Get started with Okta Verify on macOS devices | Okta, depending on what device you would like to install the app on.
You can find an exhaustive list of all products that are FIDO certified here: FIDO Certified Showcase (fidoalliance.org)
Takeaways
Do
- Implement MFA to protect your accounts.
Do Not
- Use a single form of authentication.
Project Upskill is a product of the Joint Cyber Defense Collaborative.
Prerequisites
- Module 1: Basic Cybersecurity for Personal Computers and Mobile Devices
- Module 2: Protecting Your Accounts from Compromise
- Topic 2.0: Formulate Strong Passwords and PIN Codes
- Topic 2.1: Cyb3R_Sm@rT!: Use a Password Manager to Create and “Remember” Strong Passwords