Multi-factor Authentication is 99% Effective Against Hacking

Transcription​

MFA is 99% Effective Against Hacking

Carol: Hi there. I want to introduce you all to Emory Lindsay. He’s on the projects team here at MIS solutions, but he’s also on our cyber security team, which means he’s super smart and knows a lot of stuff. So today we’re going to talk about multi-factor authentication. Security experts such as Emory have forever preached that multi-factor authentication is one of the best ways to keep your online account safe. So let’s start out by talking about what is multi-factor authentication and how does it work.

Emory: Right, Carol. So, multi-factor authentication, or MFA for short, is simply whenever you utilize two or more factors to authenticate or verify that you are the individual trying to access a resource. A resource can be either a website or an application. There are different factors, but different types of factors as well. So, three of the most common types of factors that you can use to authenticate are something an individual knows, something an individual has, or something an individual is.

Let’s get some examples of each one of those. Something an individual knows is a common example of username and password. Something an individual has such as a smartphone, email address, or a phone number. And something an individual is, biometrics like face ID, facial recognition, retinal scan, thumbprint scanners. Multi-factor authentication is simply using two or more of those types of factors to authenticate or log in to a resource, whether that be a website or an application.

Carol: Alright, you were telling me at one point that we’ve heard from some people that they think that MFA is just too inconvenient. Is that really true?

Emory: Not really. Initially, signing up or registering for MFA was not the most seamless process, but as is the case with technology, it evolves and becomes more seamless and more second nature. When it comes to registering or signing up for MFA now, it’s as simple as scanning a QR code on an app. If you’re using something like Microsoft Authenticator, you’ll open up the app, click a few buttons to add an account, and then it will open your camera and present you with the square bars. You just point it at the QR code, and it registers. Nowadays, apps will actually give you a quick tutorial on how to use the app too, so you’re not going into it blind or have no clue how to use it. As for actually using MFA, it’s usually as simple as entering your username and password to a website, which you’re used to anyway. Then, it will send a push notification to your phone prompting you to either approve or deny, verifying it’s you and not an attacker.

Carol: Okay. So CISA had reported on their website that using multi-factor authentication makes you 99 percent less likely to get hacked. That’s a pretty convincing statistic on why people should use MFA, but why is it not a hundred percent?

Emory: Right. So first off, I’d like to start out with why it is as high as 99 percent. We live in a world where data breaches are pretty common. Companies such as healthcare providers or banks often have data breaches, sometimes including your username and password for your bank account or healthcare login, sensitive information like that. That’s where MFA comes into play. If you have MFA set up for those accounts, it’s not enough for an attacker to know your username and password; they also have to satisfy that MFA prompt, whether it’s a push notification or SMS code. The reason it’s not 100 percent effective is because there’s still that human element of a user pressing an approve button. For example, a common social engineering attack that hackers use is MFA bombing or MFA fatigue. They will continuously try signing in with your account, which will send an MFA prompt to your phone until you press the approve button. They’re hoping you will do that, and as soon as you press approve, it signs them in, which is obviously not good.

That’s why MFA is not 100 percent effective.

Carol: It’s humans.

Emory: Correct.

Carol: Pesky humans. Yep, exactly. So let’s say that you’re sitting there at your desk and you keep getting notification after notification and you suspect that you might be a victim of MFA bombing. What should you do?

Emory: Right, what you should not do is click the approve button. Never under any circumstances should you approve an MFA prompt that you are not expecting or do not recognize. If you know for a fact that you or someone you can visually see is signing into an account that you’ve given them access to, under no circumstances should you press approve. Instead, contact your IT administrator or help desk, notifying them of this issue and telling them, “Hey, I’m getting this MFA prompt, and I’m not expecting it.” The IT administrator or help desk can work with you to circumvent this by registering your account with a different form of authentication. It could be a text message code sent to your phone that you enter into the application or website. Another alternative is receiving a code to your email. You just enter that code to authenticate.

Carol: So there is a workaround. You don’t have to throw your hands up and give in to the hackers.

Emory: Yep. Once you have set up a form of MFA, you’re not married to it. If it gets compromised, there are other forms that you can use like we talked about earlier.

Carol: Okay, awesome. Well, thank you so much, Emory.

Emory: Of course.

Carol: I appreciate you sharing your information and insights on multi-factor authentication. We look forward to talking to you again.

Emory: I look forward to it. Thanks, Carol.

Carol: Welcome.

Schedule a free 15-minute discovery call
We’ll discuss your IT requirements and assess whether we’re the right fit for you.

Share: