Why you should use MFA (and why even this may not be enough) 🔑
Notice: This text is purely informative. The information contained in it should not be used to pursue goals that are against the law.
As an Internet users we need to use multiple accounts - for email, social media, multiple platforms… However, many people still tend to forget how important it is to keep these accounts safe. Losing one, not too important account may seem not to be a big deal, but it is not that easy. There are a few reasons why you should care.
First of all, the account we lost access to may be used to provide access to a different account. Maybe it can be used to reset password? Or maybe we use the same login and password in more than one place? Obviously, it is more than ‘not recommended’, nevertheless many people still keep off unique passwords and password managers. And even if the account is totally separate from the other ones, there are still some dangers. An online shop account? You probably have your address and transaction history here. Online communicator? A huge chance that there are some of your private messages or photos. Even if they couldn’t be used to disgrace you, you can simply lose something important.
Probably access to any of your accounts can be used against you. Lawyers have a saying ‘give me a person and I’ll find a statute to charge them with’. Cybercriminals could have a similar one - ‘give me access to the account and I’ll find a way to harm it’s owner’. So I suggest you not to test on yourself what can be used against you.
Ergo, what can you do to protect yourself from cybercriminals? There are a few steps, so let’s discuss them.
Common first layer - a password
Before we start talking about multiple-factor authentication, let’s discuss one of it’s possible factors and simultaneously the most popular authentication metod - passwords.
Unique passwords
Why they are important?
The first step is to use unique passwords. In case our password gets compromised, attacker still cannot access different accounts with the same credentials. Our reaction to the data leak is also easier - we need to change only one password, not passwords to the all accounts we have.
Disclaimer: There are some websites that allow you to check if your data has been leaked, eg. ’;–have i been pwned? or DeHashed (more advanced, some usages may be illegal).
Why they are not enough?
Unique passwords are a great idea, however we can still get our account stolen. Maybe it is better than losing multiple accounts, but still not the best scenario. Unique passwords do not quarantee us safety - they only provide a kind of separation between multiple accounts.
Uncommon passwords
Why they are important?
We can have unique password for each account, but they still can be common passwords among the society. Think about qwerty
, 12345
or admin
… I am sure that they are used in many places, so you definitely should avoid them. In this case the attacker doesn’t even have to crack or get somehow one of your passwords - he can simply check the most popular ones.
Disclaimer: There even is a Wikipedia page with 10,000 most common passwords: Wikipedia:10,000 most common passwords.
Why they are not enough?
Your password can be uncommon, but still very weak. It may seem to be secure - eg. if it is a totally random sequence of characters - but there is one problem: computers get faster and faster, so the passwords become easier and easier to crack. So not only uniqueness and uncommonness but also strength is important.
Strong passwords
Why they are important?
Let’s start with an explanation what a strong password really is. The most popular answer is - a password containing small letters, big letters, numbers and special characters, generally a complicated one. Pretty close to the truth, though without probably the most important part. Primarily, the password should be long. Currently at least 16 characters are suggested by specialists. With current computing power we can crack passwords consisting of a few letters in seconds (or ~instantly). With each additional character the password becomes stronges - and time increases from seconds to minutes, then hours, days, years, decades, ages or even milleniums. So the password with sufficient number of characters becames uncrackable in sensible time.
At this point it may seem that there is no way to fulfil all the requirements about passwords. Unique. Uncommon. Strong. I have heard multiple times that it is impossible to remember all of them. Fortunately, you don’t have to. There are many password managers that can help you. The easiest way is to use the one built-in your browser, but you can also use a dedicated app - eg. KeePassXC, Bitwarden or 1Password (but there are much more!).
Why they are not enough?
If the password needs ages to be cracked, it may seem safe. However, at this point it probably won’t be a suprise, that it still can be insufficient. Even a strong password can get compromised - and from this moment it isn’t secure any more. Sometimes passwords aren’t protected in a proper way (eg. they are stored in plaintext or are barely encrypted) and they instantly become useless after any data leak. Hence, we need a next level of security - adding the second layer.
Multi-factor authentication (MFA), at least 2FA - possible options
Single-factor authentication requires only one type of evidence to admit user to enter. In MFA there are added more factors (at least one, when we get two-factor authentication). They should be selected from at least two distinct groups: (1) what we know (eg. password, answer to question, PIN), (2) what we have (eg. security key or token), (3) who we are (eg. biometric or behavioural characteristic).
We’ll dicuss here three possible versions of second security layer (assuming the first layer is a password) - biometrics, codes from authentication apps or SMS and physical security keys.
Biometrics
Why it is important?
Biometrics is good for unambiguous verification of a person. Fingerprint or iris recognition became easy to use and available in many devices. There is no simple way to bypass this verification, we need a physical contact with the scanner.
Why it may not be enough?
The most significant problem with biometrics is that the devices aren’t perfect. They can make mistakes when only minor details are different (because too precise scanner would be nearly unusable outside laboratories). There are many sources where people show how they bypassed the system with some prepared on purpose items - eg. masks. And sometimes it doesn’t even require that much effort - we can get our fingerprint scanned by someone during sleeping or staying in the crowd. Thus, in this case MFA still may not be enough.
Codes from apps or SMS
Why they are important?
Second popular version of second authentication factor are codes from apps or SMS. They can be used only once, change regularly and require live access to them. They are one of the best widely-used methods, because claiming them by attackers isn’t that easy.
Why they may not be enough?
I’ve said - claiming them isn’t that easy. Unfortunately, it is still possible. The one way to achieve this can be described something like that: we accidentaly provide the code on a fake website, get an error while logging in and get redirected to the proper login website to try again. Meanwhile, the attacker receives our verification code and uses it himself (even though it cannot be used more than once, we haven’t really used it previously, so he can still do that). And that’s it - someone has access to our account. This attack requires more effort, so it probably won’t be used in many cases, but sometimes access to the account can be worth it.
Security keys
Why they are important?
Security key is a device similar to a pendrive, which you have to insert to the device’s port to log in (or place it close to the device to use it with NFC). It has a few obsious advantages over different methods. The one of them is that you have to have physical access to the device. It is also not vunerable to phishing - it won’t allow mistakes like entering verification code on the fake website.
Here you can find out more about popular security keys - YubiKeys.
Why they may not be enough? Or why they should be enough?
This method probably has only one serious problem. The security key can be stolen. However, we can assume that this scenario touches a more serious problem. It would require from the attacker not only a cybercrime but also a physical thievery, so it would apply only to limited cases. Hence, the security keys should be enough for many users, especially when we consider them as a second+ authentication factor. They are probably the most secure option currently available.
We have discussed multiple options for securing an account. Unfortunately, we cannot get rid of all potential vunerabilities with only one method. However, combining multiple methods from different groups of providing evidence allows us to minimize the hazard of losing an account. When we have to provide something we have or confirm who we are after telling something we know, our security increases drastically. I strongly recommend you to enable multi-factor authentication everywhere you can. It simply make your accounts safer - not impossible to take over (you still can be kidnapped, blackmailed or so…) but definitely helps in less extreme cases.
Stay safe!