CAM 2022 Week 3 – Multi-factor Authentication

Welcome to week 3 of Cybersecurity Awareness Month! We have crossed the halfway mark for October and we only have two more weeks to go! If you haven’t started the Virtual Scavenger Hunt, you can do that now by clicking on the “Start Hunting” button on the banner at the right side of the page. You can complete the first three weeks and be ready when the final week’s questions post on Monday morning, October the 24th.

One change in Cybersecurity Awareness Month activities must be mentioned. The “Spot the Phish” table in Krannert that was supposed to happen last week on Thursday, has been moved to next week on Thursday, October 27th, at 11AM. An email went out last week, but here is a reminder in case you missed it.

One more thing before we move to this week’s topic. Don’t forget to report every phishing email you receive. If you report one of our test emails this week, or you report a real phishing email, your name will go into a prize drawing to be held at the end of the week. The winner of the drawing will get an Oontz 3 waterproof Bluetooth speaker and case. It’s easy to report an email! If you are using Outlook to read your Berry email, just use the Phish Alert Button in the toolbar. If you use your phone to read your email, you’ll need to use the Outlook app for either Android or iOS to report the phish. The Phish Alert Button is under the “three dots” menu when viewing an email. If you don’t use Outlook or the Outlook app on your phone, you can always sign in to https://mail.berry.edu and report it there, again, under the “three-dots” menu. Good luck spotting those phishing emails and good luck in the drawing!

Week 3 of Cybersecurity Awareness Month is all about multi-factor authentication (MFA), also called two-factor (2FA) or two-step authentication. We’re going to use MFA here to keep things simple. MFA is enabled and required on all Berry accounts to help protect both you and the college from attackers. The Office of Information Technology (OIT) encourages you to enable MFA on all of your accounts that are MFA-capable. This includes almost any account you can have now, including social media, email, banking and financial sites, medical and insurance sites, and any other site that stores, or where you input, sensitive information.

How does MFA work? To some degree, you know this already from using your Berry account. Your Berry account only requires an “Approve” or “Deny” response on the Microsoft Authenticator, or a phone call to one of your phone numbers. Other forms of MFA include generated six-digit codes from smartphone apps like Google Authenticator, Authy, or the familiar Microsoft Authenticator, hardware “keys” that plug into USB ports, or other methods like fingerprints and facial recognition.

The basic components of MFA are called factors. Factors include something you know, like a password or PIN, something you have, like a hardware key, and something you are, including fingerprints, facial recognition and even retina scans in high-end security systems. When you use MFA for your Berry account, you are providing your password as one factor, and then you are using the smartphone app to either “Approve” or “Deny” the login, or answering a phone call, which is the second factor. Using MFA means that even if someone has your username and password, they still can’t get into your account without an approved second factor. This increases the security of your account.

Check your account security settings for all your sensitive accounts to see if they support MFA. Remember, they may call it 2FA or 2-step authentication. It’s all the same. Yes, it might take you another couple of seconds to sign into an account, but it is much more secure. Data breaches happen every day, and unfortunately you have no control over your social media site, email provider, or bank’s security. All you can do is apply as many layers of security to your account as possible. MFA is a strong layer of security, but it is not infallible. Weak forms of MFA can be hacked. These include phone calls and one-time codes via text message. Much stronger is an app like Microsoft or Google Authenticator or even a hardware key for sites that support them.

I’ve mentioned hardware keys a number of times and I want to give you just a little information on them. One of the better and simplest hardware keys to use are made by a company call Yubico. Yubico makes a line of hardware tokens they call YubiKeys. There are YubiKeys to fit USB-A, USB-C and Lightning ports. They also make a YubiKey that works over near-field communication (NFC) to work with phones and other devices that may not have USB ports. YubiKeys are relatively inexpensive (~$25-$40) and very durable. If you really want to take your MFA experience to the next level, check into hardware keys like the YubiKey.

That’s it! I hope your third week of October is great! I know the students will enjoy their two days off, or will already have enjoyed them by the time they read this. Be sure to complete your Cybersecurity Awareness Training for Fall 2022 if you haven’t already. It will only take about 20 minutes and can be done in multiple sittings. If you do have to split your time up, you can get back into the training platform by going to https://myapps.berry.edu and clicking on the “Berry Security Awareness” app, or go to https://berry.litmos.com and click on the “Sign in with your Berry account” link to get back to your course.

I already mentioned the Virtual Scavenger Hunt, but I’ll mention it again. Get your name in the hat to win the high-capacity charging pack by completing every week of the hunt. Each week you participate also makes you eligible to win a weekly prize complete with a desktop fidget spinner and lots of candy. Get hunting!

Until next week!