The opening line in a common phishing email says “I have some very bad news for you.” It goes on to disclose that the hackers supposedly have your password, and unless you pay up (in Bitcoin), they will release compromising information about you.
I also have some very bad news for you, but I also have some good news, and it won’t cost you a cent. First the bad news. Passwords, as a way to safeguard your online accounts, are not secure. They can be hacked or stolen, and give a false sense of well-being. The good news? There’s a tool that can restore security to those accounts. It’s called multi-factor authentication, abbreviated as MFA.
It’s called that because it adds an extra step onto passwords (“a thing you know”) and that is “a thing you have.” For example, you log onto your bank’s web service with a user ID and password. The bank then sends you a one-time, automatically expiring numerical code via text message or phone call, which you enter into the bank’s website. Because this code changes every few minutes, and is unique to your account, it cannot be stolen or used by the bad guys. Even if hackers get your password, they will be stopped by the request to enter this code.
Most banks, credit card companies and other financial entities that let you access your information online have the option for MFA. For the majority of sites, you need to opt-in to do this, as it is not on by default. Look for it in ‘security settings,’ or ‘alerts’ on the financial institution’s website. You can usually set up one method (say texting) to be the primary authenticator, and another (phone call or email) to be a secondary method. If your financial websites don’t offer it as an option, voice your opinion that they need to implement it.
Even more secure is the use of an authentication app on your phone for MFA. When you install this app, the financial institution will send it a code that you can then enter to access your account. This is more secure for one reason. A scam known as Sim-cracking allows a bad guy to convince a cell phone provider’s customer service representative to forward one phone number to another. If they are successful in doing this and you have MFA turned on, the bad guy can have the code sent to your phone, which is then forwarded to their phone. Using an authentication app, the bad guys would have to have to physically possess your phone to steal the code.
Facial recognition and fingerprint ID on modern smartphones are a form of MFA. They aren’t quite as secure, because if they fail to recognize your face or fingerprint, they fall back to having you enter a passcode. If the bad guy actually possesses your phone, and knows that passcode, that’s no security at all.
Yes, MFA is another step you need to do to log on and access your information. With time, though, it becomes routine and the extra level of protection if provides is well worth it.