For many years, information technology professionals have been encouraging folks to adopt multifactor authentication, commonly referred to as MFA, whenever possible. As its name implies, MFA requires, in addition to a password, the use of another factor, or type, of authentication to log in. The most popular alternate factor has been text messaging. But over the past few months, there has been an uptick in the hacking of accounts secured with MFA and text messaging. Security-minded folks should use authenticator apps instead.
MFA, formerly known as 2FA (two-factor authentication), is a secondary security method born out of the decades-old security principle that at least two things are needed to secure an account, “something you know, and something you have.” “Something you know” is the password. “Something you have” is your phone. An authenticator app merely confirms that you have your phone.
In years past, a texted code was enough to confirm that you did, indeed, have your phone. Even though there were known weaknesses to the technology, it was still much better than nothing, and the vulnerabilities were largely theoretical.
But the bad guys have caught up and exploits are being reported at a much higher rate, hence the need for something more secure. Instead of receiving an authentication code via text, the code is delivered via an authenticator app.
The two most popular authenticators are from Google and Microsoft, and are cleverly named Google Authenticator and Microsoft Authenticator. If you don’t yet have one of these two apps, it’s time to get one even if you don’t need it at the moment. It will be a lot easier and simpler when the need arises if you already have an app. Many apps and sites are requiring nontext-based MFA.
Both apps are free and readily available in the App Store, Google Play Store, and other Android stores. Both these behemoths have a vested interest in ensuring safety in their ecosystem and that’s why the authenticators are free, and to date, ad-free as well. (Some might say they keep your data safe so that they can steal it for themselves, but that’s a topic for another column.)
Don’t miss out on what’s happening!
Stay in touch with breaking news, as it happens, conveniently in your email inbox. It’s FREE!
Both apps work well, but of course are tailored to the vendors products. So if you are in a Microsoft-centric environment, get the Microsoft Authenticator, and vice versa for Google. If you aren’t tight with Satya (Nadella, Microsoft CEO) or Sundar (Pichai, CEO of Google and Alphabet, its parent company), either one is fine. After obtaining one of the apps, use it for every site you access that requires you to log in, such as financial services, health care and even social media. If a site requires you to log in but doesn’t support MFA, that’s a sign that it might be best to stay away.
Of course, with greater security comes greater complexity. The texting method of MFA is quite simple. When registering for MFA, you enter your phone number and the app runs through a test to make sure it’s the right number. From then on, for every log in, after successfully entering your password, a text is sent with a code to securely sign you in.
The most popular way to add MFA to a site is by hitting the “+” sign and scanning a QR code from the authenticator app. What if you’re trying to add MFA to a mobile app on your phone and it displays the QR code there? There are typically alternatives for just this very situation, usually labeled something like “can’t scan image” or “add code manually.” This requires that you enter a string of characters after hitting the “+” sign.
Many organizations use their own MFA for internal apps. Cisco’s Duo is quite popular, as is Oracle’s Universal. Also, some commercial apps require you to use a specific authenticator, such as Symantec VIP or OneAuth. When you start using too many authenticators, it can get confusing as to where to find the authentication code, so try to keep these to a minimum.
Finally, even though authenticator apps are more secure than texting, the main exploit is still based on human interaction. If someone you don’t know or trust gets a hold of you and asks for a code from the app or tells you to approve an authentication, DON’T do it! No matter how convincing they might sound, this is a variation of the oldest scam in the book.
John Agsalud is an information technology expert with more than 25 years of IT experience in Hawaii and around the world. He can be reached at jagsalud@live.com.
