In 2012 a hacker stole 6.5 million encrypted passwords from LinkedIn and posted them online. Perhaps the most shocking outcome of this breach: later analysis revealed that the most common passwords used on that site were "123456," "linkedin," "password" "123456789," "12345678," and "111111."
When we opt for patterns and simplicity over the ideal of long and truly random passwords, then passwords alone are no longer an adequate form of authentication.
So what can we do to protect our accounts? We can boost account security and mitigate risk by using more than one form of authentication, also referred to as multi-factor authentication.
Authentication is divided into three categories, or factors:
- Something you know (e.g., password, pin code)
- Something you have (e.g., smartphone, token)
- Something you are (e.g., biometrics, fingerprints, iris)
To achieve multi-factor, a person needs to provide at least one element from two of these categories. For instance, to withdraw cash from an ATM, you must insert your debit card (something you have) and then enter a personal identification number (something you know). While someone could find a lost debit card, an added layer of security comes into play by requiring that second factor: a pin code.
It is important to emphasize that factors must come from two different authentication categories. Some websites require a password plus the answer to a secret question. This is not multi-factor. The information for both comes from a single category: something you know. Add to that the possibility for someone to find the answer to the security question through a quick scan of your social media accounts, and it's easy to see why this combination does not suffice.
Is there a downside to multi-factor?
Every security solution is inherently at odds with convenience, which is commonly referred to as friction. You likely have used multi-factor authentication and may have noticed this friction.
Many banks ask for a password and a code sent to your phone to access your online account. What if your phone is in the other room? Some institutions provide a small token device that displays a random number to enter after you provide the password. What if you left the token on your desk at work?
The thought of having to do an extra step to access an account may deter some people from enabling multi-factor. Think of multi-factor authentication as insurance: you may not enjoy paying your monthly premium, but you will be glad to have that insurance if and when you need it. You may not need to enable multi-factor on every account. Instead assess the value of the data in each account, evaluate the risk and invest in that multi-factor insurance accordingly.
October is National Cyber Security Awareness Month. Learn more about multi-factor authentication at NDSU.