Last week we kicked off Cybersecurity Awareness Month with a bit of information on passwords, the keys to digital kingdoms. This week, we are going to focus on Multifactor Authentication, or MFA. If passwords are the key to the kingdom, then MFA is the retina scanner to the secret lab. Multifactor authentication is defined as a security process that requires more than one method of authentication from independent sources to verify the user’s identity. In other words, a person wishing to use the system is given access only after providing two or more pieces of information which uniquely identifies that person.
These methods are a mixture (at least 2) of 3 core concepts:
Something you know: This can be a password or security question (what road did you grow up on).
Something you have: Usually a phone for a text message, call-in code, or push notification.
Something you are: Biological scanners such as face and fingerprint scan.
Adding two of these three things together adds another layer of difficulty for an attacker to get your information. Maybe a password was compromised, but luckily, with MFA an attacker would still need your phone or your fingerprint to authenticate.
Here at the VSC, we use DUO MFA to authenticate VSC applications. This added layer of protection sends a push notification, call, or text message to your mobile device, or gives you a unique code from a hardware token, to confirm that you are who you say you are. This multifactor is a combination of ‘something you know’ (your password), and ‘something you have’ (your phone or hardware token).
MFA is one of the best ways to secure your accounts and is quickly becoming the industry standard in any service that requires account creation and authentication. However, there have been situations where cyber attackers have mitigated MFA. These situations typically involve an attacker sending MFA approval repeatedly (i.e. a flood of push notifications or texts to allow access), and the owner approving the log-in either due to confusion or annoyance. Therefore, if you begin to receive MFA requests en masse, and you are not attempting to log into anything, do not approve the requests! Instead, contact the service (or VSC IT for VSC applications) right away and change your password for the account, and any accounts using the same password…not that you would reuse a password anywhere though, right?
For more information on MFA here at the VSC, check out our support page here: https://support.vsc.edu/accounts-passwords/mfa/
Thank you for staying cyber safe!