Cygilant Blog

Fear (Multi-)Factor

Posted by John Linkous on Mar 27, 2017

Multifactor_authentication.jpgDuring the early-to-mid 2000’s, the NBC network aired a successful reality television show called “Fear Factor.”  In that show, contestants competed by attempting a broad range of terrifying stunts, eating grotesque foods, and a range of other activities designed to exploit their innate fears.  The contestants, one assumes, had weighed the value of the show’s prize against the risks of the unknown, and decided to participate in the hopes of gaining the $50,000 top prize.

Frequently, I see people conducting their own technological version of “Fear Factor” – only they don’t realize that they’re in a game, and the prize if they’re successful is vastly less: their email, their bank account balance, or other information that they already own.  This game is played when people expose themselves by thinking that a password is sufficient to keep them and their data safe.  From phishing attacks to “drive-by” malware, attackers are always after your systems.  It’s hard enough being vigilant to protect against these attacks at home, but the issue is exacerbated when we’re using public infrastructure components such as Wi-Fi at the coffee shop, or “courtesy kiosks” at hotels.  The fact is, when we’re not in control of the computer and the network it’s on, then we’re all at significant risk.  While being hyper-vigilant about the websites we visit while online using public infrastructure is a good start to mitigating these risks, that’s not good enough if the computer or the network are compromised.

One of the best tools in your arsenal to protect yourself in these environments is multi-factor authentication (often called “2FA” for two-factor authentication).  So what exactly is 2FA?  It’s simple, really: in order to prove your identity, you need to know at least two of the following:

  • Something you know (like a password)
  • Something you have (like a physical token or a cell phone – more on that later)
  • Something you are (like a fingerprint)

By requiring at least two of these factors, a target application or website will have much greater confidence that a user is who they say they are.  Of course, the “something you know,” which more often than not is a password or a response to a question (“what’s your favorite color?”) is the easy one that we all know.  More commonly today, organizations and applications are additionally requiring the “something you have” factor.  This can come in several forms, including physical token devices that are provided to users, as well as dedicated apps and SMS-based one-time authentication messages.  Regardless of the format, the value of a “something you have” token is the fact that it has a rotating number or other message that can be communicated to the back-end application or system to prove that you are who you say who you are.

So how can you leverage 2FA to your advantage, and minimize their risks online?  Here are some options everyone should consider:

  • If the common web applications you use – banking, social media, email, and others that contain your private information – support multi-factor authentication, use it. Today, 2FA doesn’t require a physical token (although this is nominally more secure than SMS-based phone authentication), and it will mitigate against keyloggers, screen capture malware and other threats to your traditional password.
  • If you have a 2FA interface on your phone, computer or other electronic device that requires authentication (such as a fingerprint reader), configure it and use it.
  • Finally, make sure everything you connect to is encrypted. 2FA doesn’t provide encryption services; it only provides another authentication factor.  Always make sure that any websites with which you access or share private information is protected through encryption (an “https://” URL).  Also, the SSL transport protocol is no longer considered secure; instead, configure your web browser to support only the more modern TLS protocol (this is still often erroneously referred to as “SSL”, but it’s a more mature implementation that provides the same service).  Although encryption doesn’t mitigate against keyloggers or other malware that intercepts data before and after encrypted transmission, it does help to block man-in-the-middle (MItM) attacks along the network.

See the pattern?  Multi-factor authentication is your friend; it will help to keep you safe, and when coupled with encryption, it’s a formidable solution to help keep you – and your data – safer, especially when on computers or networks that you don’t control.

Most Recent Posts

Subscribe to the Cygilant Newsletter