This might be an annoying extra step to accessing an app, or getting into your account. However, it is absolutely necessary for protecting yourself against cyber attacks.
Why humans are terrible with passwords
In the early days of the internet, passwords made sense. You come up with a word that you can remember easily, that nobody else knows about. Use that, and your email, and you can access your accounts. Unfortunately, coming up with passwords was a bit tricky, and so people chose something that was very easy to remember; the name of their street, or their pet, for example.
However, these were far too easy for attackers to guess with something like a dictionary attack. This is where the attacker runs some code with words, or combinations of words that can be found in the dictionary, and guesses lots of different passwords. They could also do targeted dictionary attacks, where information was gathered online (such as the name of pets, birthdays and relatives) and those words were added in.
The password requirements might have developed, but so too did the attacks. Now you might need a capital letter, a number and a symbol within your password, but the code that attackers write can account for that too. An attacker can try passwords that are very common, that meet all the password criteria, using automated code; meaning thousands of attempts can be made with lots of account details in a very short space of time.
For users, with all of these additional criteria for a password, it’s also very difficult to remember them all. Typically, people start reusing the same password for multiple accounts, which makes them even more vulnerable to a phishing attack. Now, an attacker only needs to gain the details of a single account to be able to access multiple websites and apps with the same login details.
Why multi-factor authentication is the answer
When you turn on multi-factor authentication for an app, or a website, it means that you need one or more extra pieces of information to login. You use your email and password, as usual, and then you add something else, usually from a second device like your mobile phone. This is often a code, sent to your phone or your email address, or it can be biometric data like your fingerprint. The principle behind multi-factor authentication is that even if your email address and password is stolen, the attacker won’t be able to access your account without the extra piece of information.
We’d recommend using an authenticator app, like Microsoft Authenticator.
It is best practice to turn on multi-factor authentication for every account and application that you use; even accounts that you use infrequently. This is important because if an attacker was able to access a single account, they can use them for credential stuffing attacks (where they try these details in lots of other websites and apps) and targeted phishing attacks (where they contact you using these details to convince you to provide further information).
As technology continues to advance, attacks are getting more sophisticated, and users are more vulnerable. By turning on multi-factor authentication for your account, you are drastically reducing risk.
What about Passkeys?
Passkeys are a way of signing into an account using biometric data, such as your fingerprint or face ID, or a piece of information that you have on that device like a screen lock. A screen lock is the information you use to log in to your device; so this could be a pin number, or a pattern lock.
Passkeys improve your security by requiring you to have your device with you, in order to sign in to an account. This is particularly useful in countering phishing attempts or hacking, as it’s very unlikely that a scammer has both your device, and the information required to access that device. If you don’t have that device with you, you can still access your account using passwords and multi-factor authentication.
Passkeys are easy to create; just go to the account that you want to create a Passkey for, and follow the instructions. After you’ve set up your device as a passkey, you can use your fingerprint, face or screen lock to access your account. Many accounts allow you to set up Passkeys including Google, Microsoft365 and Amazon.
Want to know more about MFA? Give us a call on 0191 482 0444
