What is MFA and why you need it!!
MFA requests additional authentication such as a code or push notification when you sign into something. It provides more protection than using a user ID and password on their own. MFA is one of our favorite topics at PCG Tech Tuesday, and we’re excited to share this episode.
Dave Hodgdon: Welcome to PCG Tech Tuesday. This is your host, Dave Hodgdon, and my guest today is Steve Ripper. Good morning, Steve.
Steve Ripper: Hi, Dave.
Dave: What a great day, Steve. Nice and sunny out there.
Steve: Yeah, it is, isn’t it?
What Is MFA?
Dave: We have another great topic today, one of our favorite three letter words, Steve, MFA. What the heck is MFA, Steve?
Steve: It’s the solution. It’s the answer. It’s the thing you should be doing, right? We actually had a conversation before this started that we should be saying MFA in every other podcast. Even if it’s not about it, we should be reminding all of you out there to do it, right?
MFA is the industry’s answer to the phishing problem when they are trying to get your password. See, a long time ago, not a long time ago, a couple years ago, the hackers realized that instead of trying to hack through all the defenses that we’re helping you put up, firewalls, everything else, it would be way easier to just scam you, trick you, convince you, just subterfuge, get you to just give them the credentials. Way easier, right? Much easier. So they start sending you these things that are saying that your password’s going to expire, your account’s going to expire.
Hey, your Amazon account, your password’s going to expire. They then get you to click the link. Because you’re so fast, you have so much to do, you see this, you don’t want your Amazon account to expire, you don’t want your Office 365 password to expire, right? So you click the link, it takes you to a… You don’t realize it, but the page is fake. Looks just like the Office 365 page, looks just like the Amazon page, looks just like the Bank of America page.
That’s the scary one, right? When they do it for your bank account and you fall for it. Oh my God. So you type your credentials in, they now have your credentials. Much easier than trying to hack through your network, right? And it happens all the time. So the industry created this problem. They made it so easy for you to sign into all of these things in the web portals everywhere, that you just make these accounts and you keep going.
And they made it really easy because they made one half of it known. They almost always make you use your email address. So if the bad guy knows your email address, he or she knows one-half of the equation. All they need is the password. That’s all they need. So the industry looked at it and said, “Well, we got to do something, right?” And the answer is, MFA, multi-factor authentication.
Or if you think about it in the context of what we’re talking about, a second form. You’re already giving one form, the password, right? That’s number one.
Number two is saying that not only did I sign in with my password, but if it’s the right password, they’re going to send a code to a device that you have, usually your smartphone. Almost always your smartphone. Either send the code or do what’s called a push technology so that you can just tap the button on your phone that says, “Okay,” and that will then let you into your account. And if you followed that whole chain, the bad guy, even if he gets your password, you fall for the scam, they still can’t get in because they don’t have the code that came to your phone.
Use MFA on All Your Tech Tools and Accounts
Dave: It’s like when I go to the bank, I have my debit card, I put my card in, they ask me for my code. They might have my card, but I doubt they got my pin number. And similar to what you spoke about, I think most users out there, our listeners, some course they’ve had on the phone with their bank or their insurance company, “Let me send you a code to confirm who you are.” “Sure.”
So I think people can relate to that. But MFA, multifactor authentication is a critical component to your business and everyone has to embrace this from top to the bottom to protect your data and reputation. Because, Steve, you hit it right there. They’re out there, these bad guys are everywhere. They’re not targeting a particular someone. They’re just looking for somebody to bite.
Steve: So when I do my live trainings, I’m always telling people, “You should be actively looking for if MFA is available for this thing, whatever you are logging into, your bank’s website, Amazon, your Office 365.” Whatever you’re doing, whatever tool you use for your company, Salesforce, right, Dave, QuickBooks, turn on the MFA.
Dave: Right.
Steve: Find out and be suspicious when they don’t have the option. You should absolutely have it on for every bank account you have. And if you’re in accounting, you should be making sure that your team is trained to make sure that all MFA is turned on because that is your protection level.
Dave: Correct.
Tools Can Add MFA to Programs That Don’t Have It
Steve: That is what’s keeping you from getting phished and then they get into the company’s bank account. That’s where they want to be.
Dave: Yeah. We always ask the question of our clients if their application has built-in MFA. Because if not, you can add a third party because you hit the big bucket right there, the accounting. You have to protect that. And if they don’t have it, it’s a service we can add for them.
Steve: And ultimately, hopefully, I would tell you hopefully the industry moves towards having it be mandatory for all their accounts.
Dave: Correct.
Steve: We’re starting to see that. You’re starting to see bank accounts that when you go to set it up, they’re going to say, “You must do MFA.” I’ll tell you one place it’s interesting where it has become mandatory, GoDaddy and network solutions and a lot of the other web…
Dave: They should.
Steve: Web companies. The reason why is that the first target for the phishing is people’s accounts to manage their websites. If you followed my example a few seconds ago, if they can get into whoever does the website for PCG, whatever your company is, whoever does the website, if they can get into the website, they can put their fake page there and then start phishing other people…
Dave: With that same with email.
What Is a Keylogger?
Steve: And they put a keylogger on it. And those are easy technologies to buy and have, and hackers have that all the time.
Dave: You use that word key… I know what it is, but explain the audience a keylogger. What does that do?
Steve: So a keylogger is literally a module that you’re putting into the website. Like WordPress has modules that will just keylog. And what they’re doing is they’re recording every key press that gets entered into the field where they marked it to be the password.
So when you type in your password of your dog’s name… And we’re going to have one on password security, we’re going to do a podcast just on password security. Try not to use your dog’s name or your granddaughter’s name. But when you type those letters in, when you type Snoopy in, right? They’re recording S-N-O-O-P-Y.
Dave: Right.
Steve: Right. Did I spell Snoopy right?
Dave: You got it right. You got them good.
Steve: Good. So they’re recording that and now they have it, and now they can go log in as you into that real website. And here’s the really scary part. This is the part where… I do this in my live trainings, and everybody kind of sits up a little bit.
Listen, when they get your username and password for your Office 365 account, the next thing they’re going to do, because it’s not a person doing this, it is a computer, the computer then runs that across all the known easy accessible sites out there. So if you use that username and password somewhere else, they got you there too.
Dave: Amazon.
Steve: JetBlue.
Dave: Right.
Steve: Wells Fargo, Bank of America.
Dave: Staples.
Steve: You name it.
Dave: Everywhere, right?
Steve: Salesforce, wherever. If you reuse your password, Instagram, Facebook… When you see your friends got hacked at Facebook, they either got hacked at Facebook or they got phished at work, and they use the same username, password, and email address for their Facebook account and now they’re in their Facebook too.
How Does MFA Provide More Protection Than Passwords?
Dave: So how does it protect me beyond my password?
Steve: So how does it protect you beyond your password? I’m not sure. So it’s really just a second form of authentication, right? It is only you that can log into this, that is really the focus of that.
Dave: As I mentioned before, like your bank card, your debit card, you put in the code right there.
Steve: Exactly.
How to Set up MFA
Dave: How can I get MFA set up and configured for my account, Steve?
Steve: Yeah. So this is where it gets a little challenging. So absolutely PCG can help you with this. There has to be a plug in there. It can be challenging because there isn’t a standard for it. How Amazon’s pages look for where the MFA is looks different than where Microsoft 365’s is. They’re a little bit different looking.
So you just have to have a sense of… It’s going to ask you, you’re going to do it from within your account. So you’re always going to be signing in. You’re not going to be doing it outside the account. You’re going to sign in, you’re going to find the security section under your account details. Generally speaking, that’s where they keep it.
That’s where banks keep it. That’s where Amazon keeps it. That’s where all these companies… When you go to the security section for your account, there’s going to be the choice for MFA and you’re going to type in your phone number, usually when you’re setting up your smartphone, so that it can send either… And you can choose whether it’s going to be either push or just have a text.
Lot of controversy. Don’t use text, do a push. Don’t use push, do a text. My advice is get MFA turned on. Whichever one you’re comfortable with, go with it. And then you can tweak it later if you feel like you need to. But they’re going to send you the push or the text, and then you’re going to enter that number that they sent you. That is going to tell the setup that you did get the text, that it is you, and that you have the one that they sent, and now it’s going to be set up.
From there, every time you go to log in, it’s going to send the code, it’s going to send you a new code, and you’re going to type that in, okay?
How to Set up an Authenticator App
Dave: Yeah. I know some of the common authenticators, which I use all are: Google, Microsoft, Authy, Duo. How do I get the authenticator app, and what’s the easiest way to get that set up?
Steve: So I’m a big fan of the Google Authenticator app just because it works with so many, right? So if you’re doing Office 365, Microsoft 365, you’re going to have to use Microsoft’s Authenticator and you can use some others. But other than the Microsoft Authenticator, I use the Google Authenticator for almost everything else. Now it’s free in both stores. When I say both stores, the Apple iPhone store, iTunes store, whatever it’s called now.
Dave: The Apple IDs.
Steve: Whatever they call that. Can you tell that I have a Samsung? And in the Android, in the Google Play Store, it’s going to be free. You just do Google Authenticator and you just download it. And then all you’re doing is you’re associating that account. It’s the same process.
You’re going to the security. You’re saying, “I want to do the MFA.” Only it’s going to do what’s called a QRC code. You’ve probably seen them before. They’re that little square that has a whole bunch of squiggles in it. You’re going to take your camera and you’re going to point the camera at it. What that does is that’s putting the info for the account into the Google Authenticator. And now Google Authenticator will either generate the code for you, or you can just have it push and you can just push the button and just say, “Yes. Go.”
Why Use a Password Manager and an Authenticator
Dave: Yeah, I feel the authenticator is the way to go. And just to enhance our discussion about MFA, I think a lot of people kind of thought about it four or five years ago. We feel it’s a necessity today. Well, it’s an extra step. I don’t want to spend the time to do it. But I think when I first started doing, it’s like if I don’t have MFA now, I feel something’s wrong. I feel like you should be using MFA on everything.
Steve: Yeah, no. So the two things, Dave, that tells you if you want to have a metric for yourself, that you are doing it the right way, is that you got to have some sort of password manager. We love Keeper, right? We’re going to do a podcast on that. But if you have Keeper, right, if you have a password manager, it means that you are actively making sure that you’re using different usernames and passwords for everything. And then if you have the Google Authenticator and it has a scrollable list of all of the sites that you go to that have an MFA attached to it, you’re doing it right.
Dave: Right.
Steve: You are making sure that you have different usernames and passwords for everything, and you have MFA turned on for them.
Final Word: Turn On MFA
Dave: So to recap, we feel MFA, multi-factor authentication, a lot of it is free to you, but it’s about having the business, the leadership team just embracing MFA and knowing it’s just a way to help protect your data and your business. So Steve, great topic today. Thanks again to everyone for joining us for PCG Tech Tuesday.
Steve: Turn on MFA.
Dave: MFA.
Steve: I start every live training with, “Turn it on,” and I finish with, “Turn it on.”
Dave: Turn it on. All right. That’s a great way to end it. Turn it on, MFA. All right, everyone, have a great day. Again, Dave at PCG at Tech Tuesday.
