October is National Cybersecurity Awareness Month. One of the fastest, easiest ways you can make yourself safer is to turn on multifactor authentication. Do it the next time you open an app on your phone or log into any of your accounts. Multifactor authentication is much safer than single-factor authentication. And it’s becoming more widely available on systems and accounts of all kinds.
When a website asks you for a password, and only a password, it’s using single-factor authentication. That is, the website authenticates that you’re you based on a single test: whether you know your password.
Many account providers go a step beyond passwords and require that users provide several pieces of information. For example, when you call your bank, they might ask for your birthday, your mother’s maiden name, the last four digits of your social security number, and the answer to a secret question. That’s probably much safer than asking for a simple password, right?
The problem is that when your bank asks you for four pieces of information, it’s still using plain old single-factor authentication. The “factors” in authentication refer to types of information, not pieces of information. Modern authentication methods use three types of information: things you know (e.g., the name of your first pet), things you have (e.g., your phone), and things you are (e.g., your fingerprint). When your bank asks you for four things you know, it’s a little better than asking you for one. But it’s not multifactor authentication.
Why isn’t knowing four things much better than knowing one thing? Imagine your bank gets hacked, and the attackers make off with the user authentication database. (Or something simpler: You call your bank from the airport, and someone listens in on you as you answer the questions.) Now someone else has all the authentication information the bank wants.
Worst-case scenario: The person calls your bank and changes your secret question immediately, as well as your contact information. Your identity has just been stolen, and the onus is on you to prove you’re you and get your account back.
Maybe your bank finds out about the hack before the identity thief can access your account. Now you can change your secret question. But you can’t change your birth date, your mother’s maiden name, or your social security number (at least not easily). With those pieces of information, it’s not hard for the identity thief to trick a customer service rep and gain access to your account. (No matter how much training customer service reps get, they’re still people, not robots. And people often fall for social engineering tricks out of kindness, generosity, and other honorable motivations.)
Or maybe your bank decides that storing all that personal information is dumb and switches to another type of authentication system. Good for them! Unfortunately for you, many of your other account providers use the same pieces of information for their own authentication systems. Now that your identity thief knows everything you know, he or she could gain access to any of them—or all of them.
True multifactor authentication combines two or more types of information, rather than multiple pieces of the same type of information. The best-known example is when you log into a website by entering a password and then entering a code sent to your phone. Your password is something you know; your phone is something you have. Bonus points if you’ve set up fingerprint or face recognition on your phone. Our smartphones make adding this third type of information, something you are, extremely convenient.
Other forms of two-factor authentication include codes sent via email, codes sent via a phone call, verification apps such as Duo and Google Auth, and even special USB drives. All these systems count as multifactor authentication because they require something you know (your password) and something you have (your phone or USB drive). And again, adding biometric authentication to your phone adds yet another level of security and makes your accounts even safer.
You might think multifactor authentication isn’t right for you. Maybe you think fingerprint or face recognition is invasive (you’re right). Or you think two-factor authentication isn’t the knight in shining armor it’s cracked up to be (you’re right). Or you think it doesn’t matter anyway because your device can be spoofed (you’re almost right). Or you just don’t want to track down your phone every time you log into your email on your desktop.
These are absolutely valid complaints. But with data breaches so prevalent these days, you can be sure your information is already for sale somewhere. Everything you know has been compromised. Keeping that information from being the only thing standing between you and identity theft is a smart move.