by Dave Moore, CISSP, 09/05/2021
To learn how to stay out of trouble on the Internet, including using 2FA/MFA, take the new version of my free, one night only class on computer and Internet safety, “Fight the Internet Bad Guys and Win.” Wednesday, September 29, 2021, at 6:30 p.m., at the Central Location of the Norman Public Library. Reserve your seat by calling the library at (405) 701-2600, or register online at pioneer.libnet.info/event/5524409. Sponsored by McClain Bank, The Norman Transcript, Josh Nelson Allstate Insurance and the Pioneer Library System.
Back in the mid-1980s, when I began my journey with computer electronics, people didn’t have multiple online accounts like they have today. If you had any sort of computer-related “account” at all, you were probably associated with a government agency, a research facility, or some type of academia, using ARPANET, CSNET OR NSFNET, the predecessors to the modern Internet.
Alternately, if you were like me, and limited to more modest computer aspirations, you used a “home” computer (mine was a Commodore 64) and you connected to “Bulletin Board Systems,” which were akin to modern websites, using a dial-up modem over telephone networks. You could also subscribe to consumer-oriented network services like FidoNet or Compuserve, who charged by the minute.
To access all these wonderful technologies, you used, much like today, an “account,” which consisted of a user name (either assigned or invented by you) and a password. Those two things unlocked all the online doors there were. Password requirements were simple; security was not a huge consideration, and online crime was relatively rare.
Fast forward to today, and things have changed dramatically. Even though online crime has exploded to colossal pandemic proportions, we are still using usernames and passwords. Even though password requirements have become more stringent, and security has come front and center, we need more in the fight to stay safe on the Internet; usernames and passwords are no longer enough. Enter 2FA and MFA.
Two-factor authentication (2FA) and multi-factor authentication (MFA) are terms essentially describing the same thing: a way of presenting additional evidence (called “factors”) in order to prove you are who you say you are when you try to sign in to an online service. The whole process is called “authentication,” i.e., you are bona fide, or “authentic,” the real “you.”
The old username/password model only uses one “factor,” that being the password. One reason for having another “factor” is that so many password databases have been hacked and exposed to anyone who wants to look. Some people are also guilty of using weak, easily-guessed passwords which they never change. Yet another reason for needing another “factor” is too many people using the same password for all of their accounts. Having more factors makes it more difficult for the wrong person to access an account.
Factors include something you have (like a bank card), something you know (like a password or PIN), something you are (biometrics, like a fingerprint or other physical characteristic unique to you), and somewhere you are (such as connected to a specific network, or location information like GPS).
The most common use of multifactor authentication is being sent a code in a text message on your phone when you try to login to an online account. For example, you sign in to Amazon by providing your password (the first factor). Amazon texts you a code that you must enter (the second factor), and then you are allowed to use your Amazon account.
Unfortunately, even though still widely used, using text messaging as a way to get MFA/2FA codes is no longer advised. The Internet bad guys have figured out too many various ways to hack the text method. Microsoft actually issued an alert last November saying that, because of security concerns, people need to move away from text message-based 2FA and start using authenticator apps like Authy, Microsoft Authenticator, or “secure tokens” like YubiKey.
Next week: how to use MFA/2FA tools like Authy and Yubikey.
Dave Moore, CISSP, has been fixing computers in Oklahoma since 1984. Founder of the non-profit Internet Safety Group Ltd, he also teaches Internet safety community training workshops. He can be reached at 405-919-9901 or internetsafetygroup.org