CAM 2023 Week 2 – MFA, MFA, MFA!

Ha! No, the title is not some patriotic chant or crude taunt. It is a cheer for multi-factor authentication, one of most powerful tools in our arsenal to combat cyber attackers and it is the subject of this week’s Cybersecurity Awareness Month article. We’ve talked a LOT about multi-factor authentication, or MFA for short, here on this site. There are articles from previous Cybersecurity Awareness Months (you can check the archive here), there is a Quick Info page about MFA, and a search for “MFA” on this site returns 11 pages of results. To save you time, I am going to briefly go over it all again, starting with “what is a factor?”.

A factor is a way to prove your identity. There are three different types of factors –

• something you know
• something you have
• something you are

Something you know includes a username, a password, a PIN, a secret word, an email address, or some other piece of information that you have memorized or simply know. Something you have is a key, a smart phone and app, a token, or other physical or virtual object. Finally, something you are includes your fingerprint, your face, your palm, your eyes, or even vein patterns on your skin. For an authentication process, or login, to be multi-factor or two-factor, you must have one thing from at least two different categories.

What does this mean? It means that providing a username and password to log in to a site is a single factor login, because these are both things you know. To make the login multi-factor, you need to provide either something you have or something you are. For example, here at Berry we require MFA for access to your Berry account. You must provide the correct username and password, and then, if you are using our preferred method of MFA, you will open your smart phone and enter a number and approve the login. Other methods include receiving texts or phone calls, but these are less secure, and Microsoft is eager to stop allowing the use of text messages and phone calls as a second factor.

Other websites are getting on the MFA bandwagon, some by allowing it and some by requiring it. The Office of Information Technology recommends you turn on MFA everywhere you can, for all your accounts, even if the website doesn’t require it. If you have an account on a site that doesn’t support MFA, put in a support ticket to that site and demand MFA.

Other sites, like Google, are actively pushing for “passwordless” login, and this is an exciting new technology that can take some of the tedium out of logging into a site while remaining very secure. Until recently, this just meant that instead of using a password as one of your factors, something else was used, usually a one-time password sent to your phone or email. These methods did not change the “behind the scenes” process. However, one of the “passwordless” technologies that is gaining support is passkeys. There are some technological requirements to be able to use passkeys. You must have a trusted device to store your passkeys. This is usually a smart phone, but can be a desktop with biometric scanning capability (meaning it has a camera or a fingerprint reader attached), or a special hardware security “key” you must purchase from a provider like Yubico. This security key either plugs into a USB port or uses NFC (near-field communication) to provide the stored passkey. Freedom of the Press Foundation has a great article on passkeys that walks you through the process of setting up passkeys on a Google account. If you want to someday forget about passwords, you should check it out.

One last note before we wrap up for this week. As I mentioned already in this article, Microsoft is interested in eliminating text messages and voice calls as second factors. They announced this in a rather quiet way for their Office365 customers earlier this year. Immediately, cyber attackers used the announcement as a pretext for sending phishing emails that warned the intended victim that they must immediately update their MFA/2FA settings. The email provides only a QR code to get to the settings to make the update. These emails are not real! If you have received an email like this, with nothing more than an urgent statement that you must update your settings and to use the QR code to do so, please report them to OIT. Do NOT follow the QR code, as that will most likely bring you to a fake login/settings page that will request (and steal) your username and password.

If you have not started the Virtual Scavenger Hunt, go ahead and click here to go to the start page. Complete the hunt and be eligible to win a pair of Bluetooth ear buds. The start page has details on the prize and a big blue “Start Hunting” button that will begin your journey through the hunt. Good luck!