Multifactor Authentication: What I Know + What I Have

Multifactor authentication (MFA) or Two-Factor authentication (2FA) works on the principle of “something you know” plus “something you have (or are).” “Something you know” is your username and password. “Something you have” can be a smartphone, USB security key, your fingerprint or face, or other physical object in your possession that can be used to identify you.

The Federal Reserve has required banks and many credit unions to have MFA protection in place for online banking for more than 10 years.  So, if you do online banking, you’re already familiar with using 2FA.  Banks tend to use either SMS text messages, phone calls, or even email to verify your identity.  Many also store very specific information about your PC (it’s hardware build, IP address, OS, etc.) so they don’t have to ask you for the second authentication every time as long as you use the same PC, and the same web browser.  This latter method is a popular method of 2FA when the only risk is to your personal data (not the bank’s data in general).  It is a balance between tighter security and user convenience.

I urge all of my clients to require 2FA, especially for remote access.  Single Sign On applications like Imprivata already use a second factor of authenticating a physician prescribing a controlled substance.  In that case, the “what you know” is your hospital ID/PWD.  The “what you have” is your cellphone with the Imprivata app.  Your app is only registered to you and just for that phone.  If you change phones, that app won’t work until you register your new phone. This prevents someone from stealing your password and installing the Imprivata app on their phone and using it.    We ask employees to 2FA every time they log in because it’s not just their personal data we’re protecting, it’s all hospital data – especially patient information.

If you wonder how effective 2FA is in stopping fraud, here are some statistics:

1. Microsoft sees more than 20 MILLION credential stuffing attacks a day. Credential stuffing is where hackers take known usernames/passwords that they’ve purchased off the “dark web” and try them against popular sites, like Office 365, Gmail, and unfortunately, corporations like ours. (It’s estimated that more than 12 billion usernames/passwords are available for sale to hackers).   Why do hackers buy these? Because 73% of all users reuse their IDs and/or passwords on more than one site.
2. Microsoft security experts have seen a 99.9% drop in compromised accounts for those using 2FA. That’s right – 2FA stops virtually all attempts at getting into your account with just your userID/password.
3. If you use Google/Gmail and you’ve added a recovery phone number (and if you haven’t you should), this simple 2FA step has had amazing results, according to Google – the recovery phone number option has blocked up to 100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks.

So, this is why 2FA is so important – and why everyone should adopt it in the workplace, and at home. What you know and what you have are a dual threat to the bad guys.