Multi-Factor Authentication
When accessing computing and web services, we prove who we are through a process called authentication. Such services include: email, online banking accounts and social media.
There are three ways to authenticate or prove who we are. Of which, Two-Factor or Multi-Factor Authentication uses of at least two of the following:
- Knowledge – Something you know?
- Username/Password – Credentials
- Possession – What you have?
- Token, Magnetic Strip Card, Smart Cards, Mobile Phone; One time codes; Drivers’ License
- Inheritance – What you are? /Some part of you (Biometrics)
- Fingerprints, voice, retina, iris, signature, vein, hand geometry
If someone acquires your passphrase, they can assume your identity and access all of your information and the data that you can access. The prevalence of breached social media services and password reuse has become the primary cause for hacked accounts and data theft. In previous blogs we discussed using passphrases that are difficult to guess, ensuring a different passphrase for every account (no password reuse), and never sharing passwords with others.
Using passphrases by themselves is no longer a secure authentication mechanism. Implementing at least two-factors will help protect your identity and data accessed via authentication methods. Examples of Multi-Authentication mechanisms include:
- Passphrases
- Email Addresses
- Phone Numbers /SMS (texting)
- Link: Some arguments against the use of SMS for two-factor authentication: https://www.wired.com/2016/06/hey-stop-using-texts-two-factor-authentication/ Is it technically two-factor? Vulnerable to carrier social engineering?
- Application Codes /Reference Keys
- Google /Other Authenticators
A common example of when we use two-factor authentication is when we access an ATM machine. If you want to withdraw funds or check your balance, you need two items/factors: your ATM/bank card (something you have) and your PIN number (something you know). If you lose your card, no one can use it without the PIN number.
Similarly, in an online environment, if you enable two-factor or multi-factor authentication with your email provider, you will need not only your username and passphrase but another factor such as a phone number to a different device or an associate authenticator app (such as the one in the image). In this case, if someone acquires your passphrase, they would not be able to login to the service without also having your phone.
A challenge with Multi-Factor Authentication is that not all services are offering this yet. Most UVic Community members will not be able to make use of this service for UVic accounts.
Some resources identifying the various multi-factor authentication setups and how-tos are available here:
- Stop|Think|Connect: Lock Down your Login: https://www.lockdownyourlogin.org
- Turn it On: https://www.turnon2fa.com/tutorials/
- Passphrases: https://securingthehuman.sans.org/newsletters/ouch/issues/OUCH-201704_en.pdf
- Sites Supporting Two-Factor Authentication: https://twofactorauth.org
- Google Two-Step Verification: http://www.google.com/landing/2step/
Account Monitoring:
Most social media accounts allow you to approve or monitor application or device connections.
- Facebook Account Activity: https:// HYPERLINK “https://www.facebook.com/notes/facebook-security/forget-to-log-out-help-is-on-the-way/425136200765″www.facebook.com/notes/facebook-security/forget-to-log-out-help-is-on-the-way/425136200765
- Twitter: Revoking Applications: https://support.twitter.com/articles/76052 HYPERLINK “https://support.twitter.com/articles/76052″#
Want more information on password security and authentication? Visit Kimberley Dray’s OAC site at https://onlineacademiccommunity.uvic.ca/infosec/