By Don Dexter | Senior Software Developer
If you are online in any capacity, you’ve encountered a login situation like this:
- You go to a website or portal and enter your login credentials.
- A dialog box pops up: “Would you like a code sent to your email or phone?”
- You receive the code and enter it at the website.
- You gain access.
Annoying, right? Still, we should welcome this verification procedure.
Passwords have been with us since MIT researchers invented the computer login in 1961. Unfortunately, password encryption didn’t come along until the early 1970s. Any valid user could steal a password (and the resources beyond it) by simply looking at a plain-text file. (Of course, one MIT student did just that.)
Ever-improving encryption technology preserved the common username/password combination as a very secure authentication method—until the age of the massive data breach and the rise of significantly more powerful computers.
AOL was, arguably, the first well-known company to experience a large-scale breach, with 92 million records stolen, in 2005. In 2013-2014, Yahoo! admitted to a breach of 3 billion user accounts.
Those passwords were encrypted; so what’s the problem? Computing power.
Passwords Are No Longer Enough to Validate Your Identity
Very inexpensive machines can try trillions of guesses per second to crack passwords. This led Alex Weinert, Microsoft’s Director of Identity Security, to proclaim that your password doesn’t matter. A recent study (pdf) suggests that about 5 billion username/password combinations for are for sale or even offered free on the dark web. (Are some of them yours? Check to see if your credentials have been compromised in any known data breach at Have I Been Pwned).
Many, if not most, online users apply the same password to more than one site. If criminals grab a password, they might be able to use it even if you’ve changed it at the site of the original breach. What can be done to further secure sites and applications? Multi-Factor Authentication (or MFA).
What is Multi-Factor Authentication?
MFA requires at least two of the following three authentication steps for validation:
- something the user knows, e.g., password, secret question;
- something the user has, e.g., phone, email account;
- something the user is, i.e., a biometric, such as a fingerprint or facial recognition.
The additional authentication “fences off” a site or application behind multiple lines of defense. The provided credentials get through the first layer. The site or application then demands further proof that the credentials are in the hands of their actual owner. Usually, Multi-Factor Authentication solutions send an email or text containing a One-Time Password (OTP) or access code to the email address or phone number registered for the user. MFA solutions can also apply more sophisticated tools, such as Windows Hello or Apple’s FaceID.
The extra step discourages cybercriminals from wanting the data from your site or application in the first place. User credentials are useless to criminals unless they can also fake the additional authentication factor(s), which present a significantly higher barrier to hacking. Hackers tend to prefer soft targets.
Multi-Factor Authentication Isn’t Just for Big Business
More and more, cyber attackers are targeting small businesses. And the attacks are not just for passwords. They can gain access to user accounts to spread spam, malicious code or even propaganda that can tarnish a business’s reputation.
Why hesitate to implement MFA on your websites or for your employees? Users are already accustomed to it in email, banking and beyond. It will soon be routine at every site that requires a login. Sites without MFA will soon be suspect as insecure and of lower quality, as are sites that fail to use modern encryption techniques. Get ahead of the curve. Show users that you understand the importance of Multi-Factor Authentication in reducing risk.
Multi-Factor Authentication with Titan CMS
Titan CMS has a new Multi-Factor Authentication Add-In to help your business address these concerns.
Our easy-to-use MFA Add-In extends the standard login experience with email-based One-Time Password validation. Titan CMS also has a Single-Sign-On Add-In that, when used in conjunction with MFA, gives your users convenient access to all their day-to-day apps even as it maintains a high level of security. For more on SSO, see SSO and SAML: Single Sign On in Titan CMS.
If you’re currently a Titan CMS client and are interested in our MFA Add-In, please contact us or reach out to your Account Director for more information.
Originally Published: Tue, May 11, 2021