This site is all about improving everyone’s knowledge and awareness with regards to information security, with the aim of creating and enforcing a culture of security whereby being secure becomes second nature in both professional and personal life.
Cybersecurity or Information Security Awareness is important for both organisations and individuals due to the fact that it aims to arm both entities with the right knowledge and mental tools to deal with all those malicious actors trying to manipulate people into giving them what they want, be it via phishing, business email compromise (BEC) or other social engineering tactics.
With over 80% of all breaches involving the human element, including social attacks, Security Awareness Education campaigns have never been more important for organisations all around the world. With this article, and a series of subsequent weekly articles this month, I would like to go over some basic but important information security concepts with the aim of educating and informing all people and equipping them with the know-how to fight the attackers of today and tomorrow.
Multi-Factor Authentication
Everyone is familiar with the standard username and password method of authentication, but research and news stories have shown time and time again that these are not as secure as we would like them to be.
Enter Multi-Factor Authentication or MFA!
MFA involves the use of an extra layer over and above the standard authentication model whereby after the username and password is entered, the user is required to provide an additional factor in order to access their account or data. This factor is chosen from three possible choices:
- Knowledge (something you know) like an additional PIN or passphrase
- Possession (something you have) like a code or authorisation from an app on your mobile phone
- Inherence (something you are) like your fingerprint, face scan or other biometric indicator
This added piece of security in authentication is a must in my opinion, and the best way to describe why is via the following scenario.
Say you have an account on an online platform that only uses a username and password to provide access, but that platform suffers a data breach exposing the username and passwords of some of its clients. The person who has gained access to these credentials can now access your account using the normal channels. However, if you had MFA enabled on the account in question, then the attacker would not be able to gain access to your account with just the username and password, as they will need the additional factor which they were not able to get from the data breach.
It is for this reason that my advice to everyone is to always set up MFA for personal and work accounts. Companies should ensure that all the platforms they utilise have MFA enforced by default for all users. This enforcement is made easier by means of Single-Sign On (SSO) technology where no matter the amount of platforms used by its employees, they can use the same credentials with MFA enforced.
Additionally, be sure to set up MFA for all your personal accounts. Most platforms offer MFA as an optional measure (though in my opinion this should always be enforced), so take that option and set it up for all accounts. The online 2FA Directory has an extensive list of online portals and whether they offer MFA, including the methods supported.
In conclusion, and I apologise for repeating myself but am doing so to stress the importance of this, where possible implement or enforce MFA for all corporate and personal accounts! This is not to say that MFA will completely protect you from compromise, but it sure makes it harder for the bad guys to get in.