MFA for Engineering Companies (Podcast)
Dave and Steve talk about MFA, or Multi-Factor Authentication, and why it’s so important for engineering companies.
Dave Hodgdon: Welcome to PCG Tech Tuesday. This is your host, Dave Hodgdon. I’m here with our Senior Engineer, Steve Ripper. Our topic today is about MFA, Multi-Factor Authentication, and why your engineering firm must use this to protect its most vital assets, your data and reputation. Good morning, Steve. How are you today?
Steve Ripper: I’m good, Dave. How are you? I mean, I’m great. It’s our favorite topic, right?
Dave: It is.
Steve: We’re talking about MFA.
Dave: We love MFA.
Steve: Love it, live it, breathe it.
What Is MFA and Why Do You Need It?
Dave: What is it and why do I need it, Steve?
Steve: So Multi-Factor Authentication, or two-factor authentication, what it used to be called before, is the process where you have a third thing when you log into something. And when I say something, it could be anything, like websites, signing into your device, your Facebook account, applications if they’re set up for them. If it’s set up, you want to really start thinking about having MFA everywhere.
If you’re an engineering firm, this is really important. We’re talking about AutoCAD, we’re talking about all the different apps that you use. We’re talking about the websites that you have to log into, the portals that you have to go to. So if you’re sharing files, you’re moving things around, you’ve got to have MFA.
So the whole thing to MFA is that, you have something you are, something you have, something you know. And I split those up, I move them around, get used to it, all right? I always struggle with it. But something you are is your username, something you know is your password, and something you have is the device that you’re using to authenticate against it.
Dave: And that’s the big one right there, Steve. I think a lot of people are getting used to checking with your bank and you’re used to being sent the code. So we as users, it’s almost mandatory now, that MFA is just for everything. It’s your ace in the deck, Steve.
Steve: Yeah, it is. And so it used to be that I spent a lot of time trying to just explain and get people. Now more increasingly, I’m just seeing people who get it, they’ve at least done it once. Right, Dave?
Dave: Right.
Steve: Maybe they don’t have it everywhere, so that’s my new challenge, that’s your challenge. My challenge is to get them to do it everywhere.
Dave: Everywhere.
Steve: But at least when you talk to people now, “Oh, yeah. I had to do that, they made me set up a bank account when I’m doing the accounting and I had to do the MFA.” Right? Or, “I went to go sign up for this and it wouldn’t let me do it unless I did my MFA.”
Why MFA Is Important For Engineering Firms
Dave: So, engineering firms, we know they’re doing a lot of projects. They’re working in multiple municipalities, government projects with multiple industries, and they’re really dealing with sensitive data that is specific to that project. So it’s important that they use that not only for their CAD licensing, their project management, their backend accounting, and so on. So how does it protect me beyond my password, Steve?
Steve: So, it protects you because it’s very easy for the bad guys to get your password. That is really the response that MFA is to this problem, is that they can phish you. We’re all human beings. We fall for these types of phishing scams, where they send you an email, they scare you, something’s going to expire. Your Office 365 is going to expire. Your log-in to your bank account is going to expire. Maybe you are in charge of the company website and you get an email that says, “Hey, network solutions, GoDaddy, your GoDaddy account’s going to expire.” And you think to yourself, “I can’t let that happen. I’m in charge of the website. I’ll get fired.” So you click on it, and you give them your password. So then you’ve been compromised. But if you had MFA turned on, even though they got your password, that’s a thing that happens, they still can’t sign in because they don’t have the thing that’s in your pocket, your phone, or the text to you.
Dave: Right.
Steve: Or maybe you have it set up because you don’t have a phone, you have your desktop phone, but they don’t have that, so they can’t get in, right? Dave, I say this every time we do this, but when I do a remediation, when somebody tells me, “I think I fell for the phishing scam, I clicked on the link and I think I got compromised.” The first thing I ask them, “Did you have the MFA turned on?” And if I see that they had the MFA turned on, I’m less concerned.
Dave: Right.
Steve: I still have to look at it. I still have to test it. I still have to configure it and make sure and change their password and work with them. But the problem is absolutely much less than would have happened if you had gotten compromised and didn’t have your MFA turned on.
How To Set Up and Configure Multi-Factor Authentication
Dave: So, how can I get an MFA set up and configured for my accounts?
Steve: So, I have to answer this question, Dave, in more of a general sense, because there’s so many different ways, like we talked about. There’s bank accounts, there’s application accounts, there’s Office 365, there’s your Dropbox, there’s so many ways — Amazon, Facebook. So I always tell people to look for the security or account options in whatever you’re doing, because that’s where it’s going to be located.
In Amazon, you’re going to go to “account options”, for example, and there’s going to be an option for security. It’s same thing in Office 365, if you’re in your Office 365 portal, there’s a choice in the account section called “Security”, and that’s where you’re going to turn it on.
Usually you have the app for it, and I like to use the Google app, Google Authenticator. But if you’re doing Microsoft, you’re going to use theirs because they’ve got to have theirs. But for the most part, you’re going to use Google Authenticator. So go ahead and download that ahead of time. And then you’re going to scan the QR code, which will put in the account information. All that’s doing is putting the information into your Authenticator app that’s on your phone. Then it’s going to ask you for the code back; that’s how it knows that it’s working and when you put the code in. Now your MFA is set up.
Dave: Yeah, I think we’re getting used to seeing those scan the codes. You go to many restaurants, and I was down in upper New York, and anywhere you go now, you seem like you have to take the phone and scan the image to get into apps, it’s really come a long way.
Steve: It has. So that’s another thing. I used to have to explain QR codes quite a bit and now people are seeing them simply for menu items.
Dave: Right.
Steve: How do I order a drink? Well, point your camera at the code. It then gives you…
Dave: I just want to see the menu, Steve.
Steve: Right, exactly. But QR codes are the same idea. We use them for MFA, as well.
What is an Authenticator App?
Dave: Right. So we hear this word “authenticator”, and I know what it is, but how do I get the authenticator and what exactly is it?
Steve: So, there’s three. Really two, the Google Authenticator is one, Microsoft Authenticator is the other, Duo is also a third-party one. Duo is more in the space of, if you have an application that could be MFA protected, but they don’t have one of their own, a lot of times they will tell you to get Duo, set Duo up, and then you can attach it to that application. So that’s kind of like a third-party one. But the big two are Google and Microsoft.
Dave: Right.
Steve: And for the most part, you’re going to use Google for almost everything and then Microsoft for the Microsoft things.
Dave: So, the authenticators, you got to have that app in your phone ready to go. But these are for engineering firms. MFA is where it’s at, you have to be doing it. And with the recent announcement from Microsoft about making it mandatory for MFA, we just need to embrace it and move forward. Any closing thoughts for engineering firms and MFA, Steve?
Steve: Absolutely. So for engineering firms, particularly, Dave, they may have compliance things that they want to meet, especially if they’re trying to get Department of Defense contracts. Right?
Dave: Right.
Steve: So, if you’re trying to do any kind of government or defense contracts, you are going to have to do MFA, right?
Dave: Right.
Steve: They are not going to let you sign into things that are just username and bad passwords, right? They’re not going to let you do that, so you’re going to have to [use MFA]. So it’s really critically important. And then you also want to have a good score with your cyber insurance, and you want to have a good score with any other firms that you’re doing business with. You want to be able to present to other engineering…because let’s be honest, when you’re doing projects, you’re often working with other firms.
Dave: You are collaborating, yes.
Steve: You’re collaborating with other firms to make that project happen. So you want your security to be topnotch when you’re dealing with them.
Dave: I agree. So great insight today, Steve, on engineering firms and why they need MFA. So thanks again for joining us for PCG Tech Tuesday and have a great rest of your day.