“I think I’ve been hacked!” With all the recent media coverage of major corporations being compromised and having customer data stolen people have become more aware of computer security and its’ importance. What many don’t know is that it isn’t just the big corporations you see in the news getting hacked and you may not even get notified when smaller companies get hacked. Scary stuff right there.
So what can you do to protect yourself? There are quite a few things, actually. Multi-Factor Authentication (MFA) with One-Time Passwords (OTP) is one piece of this puzzle that isn’t used as often as it should be. Sound complicated? It really isn’t but it is extremely powerful.
Have you ever logged into Facebook and had to wait for a text or use your Facebook mobile app to get a code so that you can login? If so, you’ve used an OTP with MFA. It is an extra step, but it isn’t hard and it greatly increases your account’s security.
So what is MFA and OTP?
MFA is a technique used to secure your accounts and prevent them from being hacked, even if your password is compromised or somebody is actively trying to hack your account. How does it work? The basic idea is to use more than one authentication method. Your password, for example, is one method. You may be thinking that having a second password would be MFA, but it’s not. MFA requires at least two types of authentication. Below are the types and a brief description of each from Wikipedia:
- knowledgefactors (“things only the user knows“), such as passwords
- possessionfactors (“things only the user has“), such as ATM cards
- inherencefactors (“things only the user is“), such as biometrics
In the Facebook example above a password (a thing only you should know) and a code sent via text to your phone (a thing only you should have access to).
The idea is that if somebody discovers your password (whether you tell them, have malware on your computer, get hacked, or any other method), that the second factor is still secure so they cannot login. This is very powerful! Depending on how the MFA is setup, they may not even be able to determine that they have hacked your password. In this setup even if they hack your password they get the same invalid login error because the second authentication factor is wrong.
The same idea applies if the authenticator you have (such as Google Authenticator which can be installed on your smartphone running Google’s Android or Apple’s iOS) is stolen; they still need to get your password to login. An attacker needs to find a way to break two authentication methods instead of one. That is very difficult to do, especially if the MFA codes are set to expire every 30 seconds! Before they accomplish that you will notice that your smartphone missing and can deauthorize that authenticator so the codes generated by it no longer work for your account. Nice!
Going back to the Facebook example, the code that you received as a text is a One-Time Password. You can look at the Wikipedia page for more information but an OTP is simply a password that only works once. Isn’t it great when the name of something explains exactly what it does? Once an OTP is used that password expires and will not work again. It would be annoying to manually change your code every time you login and since this would still only be a second thing that you know rather than something you have or are, just like a normal password, it doesn’t qualify as MFA. To increase security and facilitate MFA using OTP there are devices and apps called authenticators.
An authenticator is tied to your account and generates codes for you, making it a faster and more reliable way to generate codes than waiting for a text message to arrive. An authenticator can be an app on your mobile device, an extension in your web browser, or even a dedicated physical device. It is important to understand that the security of the authenticator is as important, or perhaps even more important, than the security of your password. It’s a good idea to take steps to secure your authenticator no matter which type is used.
Security for your Business
The ideas above do not apply only to your personal accounts such as online banking or email. It applies to your business as well. If your business isn’t secure it is a huge risk. A business is a higher priority target for a hacker than the average person, since a business is much more likely to have something valuable if compromised. On top of that, the typical small business only has very minimal security. If you aren’t using MFA and OTP in your business, especially if you are using cloud services, it would be a good idea to consider implementing it. If you have already looked at MFA solutions but it seemed too expensive or complicated for your business it’s worth another look. MFA solutions do not need to be super complicated or expensive. As always, we here at Zeta Sky are here to help. All you need to do is contact us and we’ll make it easy for you.