Passwords work as keys, unlocking systems and services that we need to access on a daily basis. MFA is a secondary lock, or a deadbolt, on the front door of our systems and services. Multifactor authentication is defined as, “a security process that requires more than one method of authentication from independent sources to verify the user’s identity.” In other words, a person logging into a system is given access only after providing two or more pieces of information which uniquely identifies that person.
These methods are a mixture of, at least 2, of 3 core concepts:
Something you know: This can be a password or security question (what road you grew up on).
Something you have: Usually a phone for a text message, one-time code, or push notification.
Something you are: Biological scanners such as face and fingerprint scan.
Adding two of these three things together adds another layer of difficulty for an attacker to get your information. Maybe a password was compromised, but luckily, with MFA an attacker would still need your phone or your fingerprint to authenticate.
Here at the VSC, we use DUO MFA to authenticate VSC applications. This added layer of protection sends a push notification, or text message to your mobile device, or gives you a unique code from a hardware token, to confirm that you are who you say you are. This multifactor is a combination of ‘something you know’ (your password), and ‘something you have’ (your phone or hardware token).
MFA is one of the best ways to secure your accounts and has become the industry standard in any service that requires account creation and authentication. However, there have been situations where cyber attackers have mitigated MFA. These situations typically involve an attacker sending MFA approval repeatedly (i.e. a flood of push notifications or texts to allow access, aptly called an ‘exhaustion attack’), and the account owner approving the log-in either due to confusion or annoyance. Therefore, if you begin to receive MFA requests en masse, and you are not attempting to log into anything, do not approve the requests! Instead, contact the service (or VSC IT for VSC services and applications) right away and change your password for the account, and any accounts using the same password…not that you would reuse a password anywhere though, right?
For more information on MFA here at the VSC, check out our support page here (I promise this a legit link and not an awareness month test!): https://support.vsc.edu/accounts-passwords/mfa/