Defense in Depth — Multi-Factor Authentication
In a recent interview of Nicole Perlroth, a cybersecurity-focused journalist, on his stellar podcast (https://www.youtube.com/watch?v=hy2G3PhGm-g), Lex Fridman asks the following:
“If you could fix one thing in the world, in terms of cybersecurity that would make the world a better place, what would you fix?”
“Two factor authentication. Multi-factor authentication. It’s ridiculous how many of these attacks happened because someone didn’t turn on multi-factor authentication.”
Nicole goes on to tell the story about how the massive Colonial Pipeline hack a few years ago occurred because an old employee’s account wasn’t deactivated and their password, which had been reused on multiple services and harvested from another attack and dumped online, was used to get into the control center and shut things down. Despite all of these other failings of security (not deactivating an old account, password reuse, not changing password once known), one additional layer would have negated it all: using a second factor of authentication.
Simply put, two-factor or multi-factor (the terms are often interchanged but essentially mean the same thing), means that in addition to your username and password, you require an additional form of authentication — often a text message containing a short numerical code — in order to log into a service. While multi-factor authentication comes in many flavors (sms or text-based, authentication apps, physical security key, e-mailed verification codes, etc), they all have the same aim: ensuring that a single password is not all that is needed to gain access to an account.
For a time, multi-factor authentication was not wildly used, or if it was, you had to go digging into layers and layers of settings to find out how to turn it on. But not anymore. Every major social media company, every bank, and every e-mail provider either fully supports some type of multi-factor authentication, or will shortly. Heck, my son even came to me a few months ago asking if I could help him turn on “MFA” (Multi-Factor Authentication) on his Fortnite account because he would get a few player skins if he did so.
Yes it can be a bit annoying to not only remember which password goes with which service (even with multi-factor, please don’t reuse passwords across sites), but to also type in another form of authentication, but there is a world of people out there looking to cause harm and destruction for their gain. You may not be protecting a nation’s critical infrastructure, but you are protecting you and your family’s. A minor inconvenience today can prevent major pains tomorrow.
For a listing of services that support multi-factor authentication, see https://2fa.directory/us/