To get to the core of multi-factor authentication (MFA) and why it’s such an important security feature, we caught up with Michael Kaiser, the Executive Director of the National Cyber Security Alliance (NCSA). Mr. Kaiser graciously sat down with us for our inaugural coffee chat – a new series on the NSTIC Notes Blog. In this series, we’ll hear from various leaders in the identity community as they share unique perspectives—in their own words—on essential identity topics. See our questions and his answers, below.*
What is MFA, and why is it important?
MFA is, most simply, a way of providing additional security by using another factor in addition to your username and password to log in to an account. Multi-factor – sometimes referred to as two-step or two-factor – authentication or verification, can be any number of things: a biometric (such as a fingerprint, eye scan or gesture), a text message with a one-time code sent to your phone, a token that generates a one-time-use password or just your phone itself, because your phone has a unique ID. MFA is an extremely important emerging way to increase account security. The new forms of authentication are critical to building a safer, more secure and trusted Internet. Logging in with a username and password, the primary way people access online accounts, has been around since the dawn of the Internet. It was never meant to be a primary form of security but has become the key to entry. It doesn’t work for a variety of reasons. In most cases, your username is your email address, which is likely not a secret, and we know a couple of things about passwords. First, they can be stolen whether from hacking into a website or system or using a service that captures consumers’ keystrokes. Second, good password practices require passwords that are long, strong, and unique for all accounts. Time and time again consumers have shown that they choose not to make strong passwords because they are inconvenient and hard to remember. For several years running the most used passwords have included “password” and “1234567.” The bad guys know this, making passwords easy to harvest or guess. MFA adds another layer to the login process that provides significantly more security to your accounts.
What would you say to people who say MFA is too time consuming or inconvenient? Do the benefits outweigh the extra cost?
The benefit of the increased security vastly outweighs the additional effort to implement it. For example, requiring a second factor like a text message to your phone makes it very hard for the bad guys to break into your account unless they have your phone in their possession, and that’s what makes it so much more secure. The time it takes to turn on and use MFA is not significant, and there are ways to make it easier to manage. For example, some of the email applications that use a text message code don’t require you to add the factor every single time; you can set MFA to remember your device, so that you are only prompted to enter a code when logging in from a different device or location or once every 30 days. As time goes on, and the technology improves, it will get easier and more convenient to use this kind of security technology, because it will work more seamlessly with the devices and websites that people are using and/or you’ll be able to use similar techniques across many, many sites and services.
The National Cyber Security Alliance (NCSA) has a few campaigns related to MFA – what are they?
Our primary campaign on this is called Two Steps Ahead, and it really reflects on what we feel – there’s a play on words about using two-step or MFA, but we also believe in a very positive sense that people who implement these technologies to be more secure are actually getting ahead. If a criminal comes across one account that has a username and password only and another account that has a username, a password and MFA, the criminal will be more likely to go after the former because it’s less work for them. The Two Steps Ahead campaign has held events in more than 20 places across the country over the last couple of years, and we’ll be in 15 to 20 cities in 2016. These events are designed to teach people about MFA and how to enable it and share insight on staying safe and secure online. Additionally, in 2015 we started a social media campaign called #2FactorTuesday, which falls on the first Tuesday of each month. Each #2FactorTuesday, we work with private- and public-sector partners to share events, resources and content related to authentication, aiming to increase the adoption of MFA as a means to protect online accounts.
What are some ways that the average person can incorporate MFA into his or her online routine?
The starting place for anybody is to turn on MFA for your email account. Almost all of the major email providers offer some form of MFA or two-factor authentication service. The reason that consumers should start here is that for any account that uses a username and password, the password reset process normally starts with an email sent to your email address to verify your account. Therefore, if your email account gets hacked because of weak security, you could basically be providing access to all of your other accounts that have password reset as the way to gain reentry. Additionally, people are concerned about protecting their money, so it’s recommended that you look into the MFA options that your financial institutions may offer or how they may provide enhanced login security. You can learn more about how to implement MFA on your online accounts by visiting https://stopthinkconnect.org/2stepsahead. On this page, we provide links to many of the services on the web that already offer MFA or two-step authentication tools for clients and how to enable these features.
* The views expressed in this post do not necessarily reflect the views of NIST or the NSTIC NPO; they are solely the opinions of the experts interviewed.