Why passwords won't keep you safe without MFA

Why passwords won't keep you safe without MFA

(Antonio Guillem/Shutterstock)


Save Story
Leer en español

Estimated read time: 4-5 minutes

This archived news story is available only for your personal, non-commercial use. Information in the story may be outdated or superseded by additional information. Reading or replaying the story in its archived form does not constitute a republication of the story.

SALT LAKE CITY — 4.6 million Scottrade accounts exposed by hackers. Russian pleads guilty in largest U.S. hacking scheme—more than 160 million accounts compromised. Experian data breach: 15 million T-Mobile customers at risk. And these cyber-terror headlines are just from the past two weeks.

So how safe is the average person's online information?

If consumers are only using a password to protect sensitive accounts, not very. Research conducted by Ponemon Institute for CNNMoney revealed almost half of America's adults were hacked in one year.

Passwords provide a false sense of security. Hackers and the tools they use are getting too smart. In addition to proliferating dictionary lists that contain more than one billion stolen passwords, hackers also use complex algorithms to probe random combinations of words and special characters during an attack.

Related Story

"Today, nothing you do, no precaution you take, no long or random string of characters can stop a truly dedicated and devious individual from cracking your account," Matt Honan wrote in a piece titled "Kill the Password" for WIRED. It was published back in 2012.

CynoSure Prime, a password research collective, is on a mission to prove this very point. They've cracked the passwords of almost 12 million accounts from the infamous hack of adult site Ashley Madison. More revealing is the fact that they found fewer than 5 million unique passwords. This is why dictionary lists are so powerful in the hands of a hacker.

So how does the average person protect their online personal information?

Multi-factor authentication, also called MFA, makes it impossible for a hacker to compromise an account with just a user name and password. They can't do it. That's because MFA requires at least two of the following data points:

1. Something you know: a username and password
2. Something you have: a smart phone or token device
3. Something you are: biometrics

Photo: Shutterstock
Photo: Shutterstock

"Skyfall", "Mission Impossible", "The Bourne Identity" — they are all modern-day spy movies with MFA-challenged scenes because multiple forms of identification is the universal access standard for highly secure systems. What most people don't realize is that the same or similar levels of security can protect most of their personal information today.

MFA is not science fiction for the masses. It's here now. More than a growing reality, MFA is a necessity in a world terrorized by hackers.

The most common form of MFA requires a user to enter a special code sent via text message after signing in with their username and password. Without this additional code, access is denied. A hacker would need physical possession of the user's phone and their username and password to do any real damage.

Additional methods of MFA include smart phone apps that generate one-time verification codes (Google Authenticator, SecureAuth), apps that send push notifications to authorize a sign-in (Duo, Transakt), devices that can generate one-time verification codes (RSA SecurID, Yubikey), and fingerprint and smart card readers. The industry is in its infancy, so more biometric methods are on the way.

#poll

While MFA is a standard industry term, Google calls it "2-step verification," Wells Fargo calls it "advanced access" and PayPal calls it "security key." If that's not confusing enough, finding where to enable MFA on some sites is like searching for the lost Ark of the Covenant. When in doubt, contact support for the website in question.

The site Two Factor Auth offers a long list of websites that do and don't offer MFA. Surprisingly, there are a number of big-name corporations on this list that don't: Amazon, American Express, Citibank, U.S. Bank and more.

Not surprisingly, many Fortune 500 corporations already require MFA for employee accounts or are in a race to do so to stem the tide of major data breaches. No one wants to become the next Ashley Madison. And unless Russian roulette happens to be a favorite game, consumers should do the same thing.

Passwords are becoming antiquated. MFA or 2-step verification, on the other hand, is the best defense available against a determined hacker. Don't be their next victim.

October is National Cyber Security Awareness Month.


Ben Hutchins is an identity management professional with degrees from Brigham Young University and Syracuse University. He is also the chapter president of Utah Valley Legends in the League of Utah Writers. EMAIL: ben@benhutchins.com

Related links

Most recent Features stories

STAY IN THE KNOW

Get informative articles and interesting stories delivered to your inbox weekly. Subscribe to the KSL.com Trending 5.
By subscribing, you acknowledge and agree to KSL.com's Terms of Use and Privacy Policy.

KSL Weather Forecast