Strengthening Login Security (3 of 4)

This post is the third in a series of four about the current role of passwords in cybersecurity. Specifically we will explore and explain how the changing threat environment moves the password from primary identity confirmation to a more supporting role.

While our focus here at Pythia Cyber is helping companies make the best choices in their cybersecurity, this series touches on the user experience as we are all users and that shared experience is helpful in describing how cybersecurity should be deployed inside your organization.

The first post in this series is here. The second post is here. The fourth post is here.

If passwords aren’t strong enough to identify a user as really that user, what are we to do? One idea is to check who the user is, in more than one way. This is called Multi-Factor Authentication, and it’s becoming pretty widespread. “Authentication” is what security professionals call the process of verifying that a user is who they say they are, and “Multi-Factor” means “more than a password” (basically). Multi-Factor Authentication is abbreviated MFA.

There are several forms of MFA, such as sending a text message with a short code, or sending an email or even voice call with that code. In most cases this relies on the user having their cell phone nearby, and having previously put their cell number into a profile. The web site designer is using the user’s possession of the cell phone as another proof that they are who they say they are.

There are other forms of MFA. Recently some companies have been using their phone app, instead of text messages, to verify that the user is currently trying to log in; this is pretty nifty. There are also “authenticator” apps that can generate the short code right on your phone, if they’ve been preprogrammed with a key from the web site. Authenticator apps are pretty secure but also kind of geeky to use. These last two approaches don’t rely on the text messaging network, which wasn’t really built for transmitting security information.

So what’s the best form of MFA? It’s the form you will turn on and use. MFA that’s too annoying or slow to use, doesn’t add any  security. MFA that you use adds security, by providing another proof of your identity over a separate communications path. Use it.

We’ll tie this series together in the next post, Recapping Password Usage.