By Evan Fagan and Craig Taylor

What’s Authentication and Why is it Important?

The theft of millions of online user accounts and passwords no surprises most people. Yahoo recently publicized the theft of at least 500 million user accountsLinked-In, Myspace, and DropBox have each announced similar breaches earlier this year!  What makes these breaches so potentially damaging is that so many people reuse the same passwords between many of their online accounts.  Reusing passwords that have been stolen at another website puts your online accounts at significant risk because hackers have learned to reuse your stolen password! Once a hacker sees your username and password they immediately try logging into your online Email and Bank websites.  Worst, hackers can usually reset passwords at most online websites by simply requesting a password recovery email. Where does that recovery email go?  Why, your compromised online email account!

All of these attacks have one thing at their core – they all start with authentication.  As a security concept, authentication is the process of comparing your current credentials manually typed into a website with the stored credentials in that website’s database (often stored unencrypted).  If they match you get in.  Unfortunately, when you reuse credentials or even when you change the last numbers on your password from say “ILovecookies99” to “ILovecookies100” hackers know to try logging into your banking and webmail sites using passwords of “ILovecookies01” …02, …03 all the way through “ILovecookies99999”.

As recommended by SANS Securing the Human, and numerous security professionals, including yours truly, it should be a requirement for each of us to make every password we use unique at every site we visit online.  While this is virtually impossible to do without technological assistance, it is easily accomplished using free, quick, and highly efficient password managers.  Modern Password Managers synchronize all your accounts between smartphones, laptops, and iPad’s alike.  Most password managers are free-for-personal-use including DashLane and LastPass.  Now, is a password manager truly full-proof?  No.  Is it a tremendous first step? Absolutely.  However, for your truly critical online accounts (think banking and webmail) you really ought to consider something called Multi-factor authentication.

Multi-Factor Authentication Can Prevent Critical Accounts from Compromise

Multi-Factor Authentication (MFA) is the use of more than one authentication factor to access an account. Typically, for online accounts, this is a password (Knowledge question) and a randomly generated code (one-time password) from either an application, a text messages sent with one, or a physical security token. These codes typically only last for 60 seconds and are virtually impossible to crack before expiration. Third factors commonly used are Biometrics including fingerprints, voice recognition, or even your retina or palm print.  Most smartphones now use fingerprint authentication except after reboot where they revert to a password to unlock.

Critical accounts that require the highest level of access protection include your bank account and email accounts.  Email because these accounts are used to reset passwords at other online websites and if compromised can lead to a whole host of other problems including identity theft and information disclosure.  Accounts with MFA enabled, use both a password (factor 1) and some other factor (as described above) which is unobtainable through normal means of theft and hacker compromise.  Put another way, passwords can be cracked, guessed, stolen directly and indirectly but the second factor coming from your smartphone, keyfob, or fingerprint are much much harder to steal in concert with your password.

The benefits that MFA provides are the reason why the White House and numerous tech companies are urging customers to use this technology on every account.  While strong unique passwords are still a necessity for each and every online account you own and operate, for those high-value accounts such as your Amazon.com 1-click account, bank accounts, iCloud account, online email accounts, the use of a password alone to secure is no longer enough; you should strongly consider multi-factor authentication into these accounts.  Will it be less convenient?  Absolutely.  Will you avoid major headaches such as Identity theft, email embarrassment, and stolen accounts if you implement 2FA? Highly likely!