Passwords are problematic, we all need so many of them these days that the reality is we end up using the same password for a number of things. This poses a pretty serious problem. What if a slightly dubious shop you've bought something from gets hacked and they haven't encrypted their user's passwords. There's a good chance that the hacker now has your email address and the password you used at that website.
To the hacker there is now a pretty high chance that they can take that email address and password and use the same combination on a number of different sites. Perhaps your Facebook or twitter, or even your email itself. If you used the same password there the hacker now has access to everything. All your other accounts link back to your email address and they can then use this to change all your other passwords, locking you out completely.
In the business world, think of the damage that can be done to your reputation with a few tweets or emails sent to the wrong people.
So how do you prevent this? Well there is a pretty valid argument in using different passwords for different services so this type of thing can't happen. This is definitely recommended, however in addition to this the use of two factor authentication can add an extra layer of security to your accounts. Two factor authentication makes it almost impossible for a hacker to gain access to your accounts.
What is multi factor authentication?
It's based broadly on the same concept as you bank card with chip and pin. This works on the premise of something you own, your bank card, and something you know, your pin code. Therefore someone can steal your card and can't access you account without the pin. Or they can guess your pin but without the card this is useless.
In the IT password world, something you know is your password. But there is no natural something you own. Some companies introduce smart cards that need to be plugged into laptops to let you log into their systems. Not particularly practical in the internet age, where you may need one for Office 365, another for Facebook and another for Twitter etc.
The obvious choice that most service providers go for is the mobile phone, very rarely is this out of hands reach. They send a text message to the mobile with a code that you enter when you log in.
In this instance you have something you know, your password and something you own, your mobile phone or at the very least the code you could only have got from having that mobile phone to hand.
So unless a hacker or other malicious user knows your password and has access to your mobile phone, they're not getting in.
So what's the downside?
Not much to be honest, couple of more trivial things.
- Some older applications which simply pass your username and password to a server need a little extra configuration. You can setup application specific passwords which allow these to continue to connect without a code from your mobile phone every time.
- If you don't have your mobile phone to hand you may lose access to your data until you can get it. However most services allow you to put several numbers in from which you can receive a code. So as long as you spend the time at the beginning setting it up right this should never be a problem.
There is some discussion around the use of mobile phones as the second factor as not being particularly secure. Often the mobile phone also has the user's email and therefore the loss of a mobile phone, if unlocked, gives the thief / hacker complete access to everything.
That said, in our opinion, whilst not perfect, this offers significantly better protection than just using a password.
If you'd like any help with adding a layer of security and getting your services working with multi factor authentication then please get in touch with us at SynEngin and we'll be able to help you out.
Book a free consultation with us through our main site (https://synengin.com) or reach out via phone or social media.