I’m going to mention some products and apps I use in this post. I am not affiliated with them and these should not be perceived as recommendations from my employer.
Let’s start with some definitions. MFA stands for multi-factor authentication, which you might also know as 2FA (two-factor authentication) or 2SV (two-step verification). You sign in to an online account using your username and password, and then you have to enter a code from a text message, call, or app, or you might approve a push notification in an app. You might also plug in a security key — I have a couple of Yubikeys.
At first it feels inconvenient to have that extra step, but it stops attackers or bots from getting into your accounts if they have your password, because chances are they don’t have your phone, biometric data, or security key. You’ve probably seen simulated phishing emails as part of your IT training that might be trying to trick you into typing your work account address and password into a website that will steal them. If you do unfortunately fall victim to this, MFA will protect you if someone tries to log in with your credentials. A commonly quoted statistic is that MFA will prevent about 99% of account breaches.
One of my favourite YouTubers, Tom Scott, did a fantastic video about MFA that is very informative and honest:
“Why You Should Turn On Two Factor Authentication” YouTube video by Tom Scott.
One of the biggest challenges with passwords is that when you have to remember so many, and they all have different complexity requirements, you start to reuse passwords so you can remember them. This isn’t ideal, because as soon as one service gets breached and a list of usernames and passwords appears somewhere, attackers might attempt to use those credentials against other websites and services. This is where password managers are useful.
Password managers are what they sound like — an app/service that holds all of your passwords for you in an encrypted vault. Some common ones are Keeper and LastPass. They usually sit in your browser as an extension, or as an app on your phone, and let you auto-fill login fields for convenience. They also allow you to generate strong random passwords, and you just have to remember the one master password. Needless to say, your password manager should be protected by a strong master password and MFA.
I would recommend having a separate password manager and not just let your browser save them. If you save your passwords in Chrome, for example, they’re only protected by your Google account. Is your Google account secured to a standard you’re happy with? I don’t like the idea of an attacker being rewarded with my Google account and all of my passwords if they manage to break in, so I keep everything separate.
I felt these subjects went hand-in-hand, but also that MFA (multi-factor authentication) can probably let us relax a little about complex, tough-to-crack passwords. Companies like Microsoft are even hoping to remove passwords from the equation altogether.
Some more articles on these subjects if you’d like to do some further reading:
What is two-factor authentication (2FA)? | Proton
What is a password manager and why do I need one? | Proton
Turn on 2-step verification (2SV) — NCSC.GOV.UK
Password managers: using browsers and apps to safely store… — NCSC.GOV.UK
Leave a Reply