What if there was a way for you to lock down your online accounts to keep hackers out and it was free? Would this level of security (and cost) be of interest to you? Well, the good news is that such a solution is available in the form of multi-factor authentication. While there are many paid solutions, in this article, we are going to discuss one that is free. Our goal is to help you set up a strong second layer of defense for your online accounts like your EMR, insurance payor sites, and even your shopping sites. Let’s get started.
Imagine this scenario. You receive an email from the tech support of your online EMR. The email claims that your account may have been breached and they need you to log into your account and change your password. There is a link for you to click to be taken to the password change form. When you click it, you are presented with the normal login screen you see every day and you enter your username and password. From there, you are taken to a change password screen that allows you to change your password. However, this was all a phishing attack and now the attacker has your original password. They then log into your EMR and begin accessing patient data. Is there a way to help prevent this? You bet there is – multi-factor authentication.
What is Multi-Factor Authentication?
A factor is a method of authenticating with a computer, website, or device. For example, when you log into your phone or computer with a password, this is a single factor. It means you need one thing to be able to access your device.
When you log into a website, you are asked for a username and password. This is single-factor authentication. However, some sites, usually banking and credit card sites, will send you a code via your mobile phone or email. This is a second factor. Even if an attacker had your username and password, they wouldn’t be able to access your account without this code. This is why using some form of multi-factor authentication provides your accounts with such high levels of security. It would require attackers to have far more access to you to be able to gain access. This usually requires far more work than is worth it for most attackers and it’s enough to make them give up.
There are exceptions when an attacker is focusing on a single person for a specific reason. For example, the CEO of a company or perhaps an engineer involved in a sensitive project. Individuals like this are often the target of foreign intelligence services to gain access to new technologies. Because of that, their method of multi-factor authentication must be much more robust and kept secure. However, for the average person, adding a secure second factor for authentication is enough to give high levels of account security.
Multi-factor authentication also provides a good level of protection against phishing. Perhaps you received a phishing email and clicked on the link. You are presented with a login page for a website you use frequently and enter your username and password. While the attacker now has your username and password, without the second factor, they won’t be able to access your account.
Types of Multi-Factor Authentication
Factors themselves are divided into 3 categories. These are:
- Something you know: something that is in your memory, for example, a password or pin code. This is what most people are familiar with and use on a day-to-day basis. Passwords are not ideal since most people don’t choose strong passwords from the beginning. In addition, password reuse is a big problem especially if the password you use on one website is compromised due to the site being hacked itself. This means the attacker can then gain access to any accounts where you might use that same password.
- Something you are: this refers to your physical characteristics. Examples include retinal scans, fingerprint scans, facial scans, etc. These are unique to you. Many users are familiar with fingerprint scanners on phones and laptops and may have used these. In addition, many smartphone manufacturers have integrated facial recognition as a method of logging into your device. When this is used by itself, it is a single factor. When it is combined with a password, it becomes multi-factor authentication (or two-factor authentication).
- Something you have: this factor refers to a device like a token or a number-generating app. This is the easiest way to use MFA on websites by using a number-generating app like Authy or Google Authenticator. Less common are physical tokens that are plugged into your device and a button pressed when you log in. This is common in larger companies and government installations. Yubikeys are an example of tokens.
How to get started in 3 easy steps!
Ok, so you want to use some form of MFA to protect your accounts. What is the best way to get started?
The cheapest way to get started is to use an authenticator app. These apps are free and easy to use. It just requires that you install an app on your phone and then register the app with each site you want to have MFA on.
For this article, we will use Authy. You can read our own guide on using Authy here.
First, install Authy on your mobile device. It works on both iOS and Android devices. It can be found in the Apple App Store or Android Play Store.
Once it is installed, you are ready to go. Log into your site, for example, Amazon. Head over to the account settings and then security. For most online accounts, you should see something that says to enable two-factor or multi-factor authentication. Enable that then you will be asked what type of authentication you want to use. Regardless if you selected Authy or Google Authenticator, select the authenticator app.
The website will display a QR code for you to scan using the authenticator app. Once you scan that using the phone’s camera, you will see a 6 -digit number that changes every 30 seconds. Take that number and enter it into the website you are linking.
Once you do that, the site is linked with the authenticator app on your phone. Going forward, every time you log into the site, you will first provide your username and password, but after that, you will be asked for your authenticator app’s code. Launch the app on your phone and enter the 6-digit number it shows.
A hacker would now need to have both your username/password and your phone to get access to your authenticator app for them to get into your account. You’ve just locked down your account and will keep out all but the most determined attackers.
One thing to keep in mind is to make sure that you back up your authenticator app. If you lose it, you will be locked out of your accounts. For most phones, this isn’t an issue since the app is likely backed up to the cloud using the phone’s cloud backup service. But don’t take that for granted – make sure you have a backup. You can also install it on more than one device such as your PC and your tablet. This will at least allow you to access your sites in the event you lose your phone.
Multi-factor authentication is a great way to protect your online accounts from attackers. With apps such as Authy and Google Authenticator, there is no cost so there is no reason not to get started using these apps.