MFA Multi-Factor Authentication
On this episode of Tech Tuesday, Steve Ripper from PCG talks with John Maher about multi-factor authentication (MFA). He defines MFA and explains how it provides an additional layer of security, especially in situations where someone is using a weak password or reusing the same password on multiple sites.
John Maher: Welcome to Tech Tuesday, brought to you by PCG, a managed IT services company in Portsmouth, New Hampshire. I’m John Maher, and with me today from PCG is Steve Ripper. Welcome Steve.
Steve Ripper: Hey, thank you, John.
What Is Multi-Factor Authentication?
John: Sure. So today our topic is multi-factor authentication or MFA. Steve, tell me a little bit about multi-factor authentication. It’s something that I think most people have probably heard of a little bit, but maybe they don’t have it turned on or they’re not using it. What is that?
Steve: Yeah. So multifactor authentication is the method that the industry has come up with to be able to secure passwords. The problem is that everyone’s got passwords, they’ve got hundreds of them, or maybe 10, 15, 20 passwords, and they keep using the same passwords over and over again, John. So what do we do when people are using very short lettered passwords and they’re using the same ones over again, and they’re using it in their Amazon account or their Jet Blue account or their bank account or they’re logging into their email or they’re logging into their corporation.
What do you do? So the industry’s response is to have another method of authentication besides that password. So for some people listening, they may think of it as, they may have seen it as two factor authentication. We call it multifactor now, it’s moved from two-factor to multifactor because we’re now incorporating a lot of different ways of doing it as opposed to just two.
But it’s really the industry’s way of saying, “How am I going to help this person stay secure when we can’t really control what they’re picking for their password?” We forced them to do complexity, and a lot of us out there will see that, will see when we’re doing our Amazon or whatever we’re doing, it’ll say, “Hey, it needs to be nine characters,” or, “It needs to have a capital and a lowercase and a number.” And that’s great, that’s Amazon, I’ll pick on them for a little bit, that’s them trying to get a little bit more security into it. But they can’t control if the person uses the same one over and over again.
There’s really no way for them to secure against that because they don’t know where they’ve used that in another place. So multifactor, to wrap that up, John, it’s basically a way of saying, “Not only are you going to type the password in, but you’re also going to have another device that authenticates it.” It’s usually your smartphone, and we’ll probably talk about that in a few minutes.
Why Should You Avoid Using the Same Password in Multiple Places?
John: So what is the problem with repeating or reusing the same password for multiple websites?
Steve: Yeah, so sure. And that’s the question that we get a ton of times. People look at you, I’ll do security seminars, John, and then you’ll see somebody in the audience nod their head or roll their eyes, like, “What’s the big deal?” The truth is that a lot of people think that if somebody gets their password, if they fall for a phishing attack or they hacked, that what’s the big deal? It’s a person, maybe they’ll read my contacts and maybe spam them, or they’ll see everybody in my Facebook account. And the real error that they’re making is, is that they’re thinking that it’s another person on the other side of this doing this. And the thought process is that, how much damage could they do? And it’s just not really how it works.
What’s really going on is it’s a computer on the other side that’s taking your password and doing something with it. And so, as we all know, computers can do things lightning fast. So what computers are doing is they’re taking that password that maybe they gave up for, and I’ll pick on it again, Amazon, and they’re running that password against every other website that’s out there. And usually when I say that in my seminars, John, you’ll see some people get white faced.
How Scam Artists Use Re-used Passwords
John: Right.
Steve: The blood will drain when they think about that, that, “Wait a minute, did he say every website?” Yeah, every known merchant website, Jet Blue, Wells Fargo, Bank of America, Amazon, Fandango, Steam. I can just go on and on. They literally have a list of every one of them. And if you happen to make a mistake and you will, because you’re a human being, it happens, you fall for scams, they are happening all the time. If you give them your Amazon password and you used it anywhere else, they’re getting in there too. That’s just going to happen, that’s a thing. So that’s really the problem. And people do this, they don’t even think about it, they need to simplify it.
When you face somebody with the idea of having 35 passwords, and every one of them has to be 15 characters, and every one of them has to be different, it’s a complex challenge. Most humans will just fall back to, “I’ll use this one again, I know it, it’s right at the end of my fingertips and I know what it is.” But you can see where I’m going with that, John.
If you did it for Amazon and you did it for Bank of America, now we call that an attack surface. Your attack surface now doubled. And if you’ve used it four times, it’s quadrupled. Now, they’re into all of those things and causing all of those problems. So yeah, it’s a huge problem. And the idea is to have secondary authentication. And we’ll talk about this in a second, but the idea is that if you give that password up, the bad guy still can’t get in because they don’t have this other device.
How MFA Protects You When You Reuse Your Password
John: Right. So the purpose of multi-factor authentication is that even if somebody gets your password, they still need to have something else in order to be able to access these websites. Is that correct?
Steve: Yeah. That’s correct, John. So if you don’t mind, John, can I use you for this example?
John: Absolutely.
Why Secure Websites Require Multi-Factor Authentication
Steve: If you were to sign on to Amazon. So people ask me this question all the time, John, they’re like, “Well, how do I set it up?” so it’s not an easy question to answer because every place, every merchant that you go to is different. But as a general rule of thumb, what I would tell people is, to try and find the security options under their account. Okay? So if you’re on Amazon, you’re going to go to accounts, wherever that is in the website, you’re going to go to the security section and you’re going to look for the part that says either two-factor authentication or multi-factor authentication.
And by the way, be suspicious of merchants that don’t have it yet. If that doesn’t have it, then you’re unhappy, you’re writing them an email or maybe you’re not doing business with them. So John, if you went and said, “Well, I’ve got my username, which is my email address.” One of the big problems that we have is that all of these merchants insist on using email addresses. So most of the bad people, they already know what your username is. Half of the problem, half of the puzzle has already been solved for them. They know it’s your email address.
John: Right.
How MFA Protects You From Scam Artists
Steve: So you know you have a username and you know you have a complex password, but if you go and you assign your smartphone to either get a text from Amazon or do what’s called a push, or just get a code from an app, usually the most prevalent is Google Authenticator. Well, now John they’d have to actually kidnap you, or at least steal your cell phone for them to be able to get into Amazon. It wouldn’t matter that they figured out what your password is because the minute they go to log into Amazon, Amazon’s going to send you a text. And if they don’t have your phone, they can’t get in. And that’s really the whole premise. You’ll see, so many people who might listen to this are in corporations and they maybe have a token.
That’s been around for a long time, they’ll say, “Listen, to log into your laptop, not only are we giving you your laptop, but here’s a token device.” Okay? The token attaches to their keychain. Again, it’s a thing that they have with them. The token, all it does all day long is just generate codes. And when they put that code in, they then can also log in, their username, their password, and a device. So for people at home or corporations, small companies, the smartphone is taking that place. But yeah, John, like, they’d have to kidnap you. I do say this in my seminars, you’d have much bigger problems if they kidnapped you than what your password is.
John: Right.
Steve: They’ll be like, “Now we’re in the police and the FBI.”
John: My Amazon password is not the first thing I’m going to be thinking about. Yeah.
Why Thieves Hack Amazon Accounts
Steve: Exactly. Exactly. But if you didn’t do it, John, I pick on Amazon, they love Amazon. They love getting into your Amazon account because it’s basically a giant department store. They, and when I say they, the bad people, whoever they are, they love making small purchases. The real goal is to get in there and live in there. Maybe they make one big score, but what they really want to do is be in there for a long time. So they want to buy small things, things that you may not notice at first that got purchased on your account. You’re going to notice a $4,000 TV.
John: Right.
Steve: But if they buy a rice cooker, if they buy some tools, all of that stuff adds up for them, but you may not notice it right away. So they love that, they love travel options, because that’s an easy one to just purchase a plane ticket and then get the money for it and then just cancel it and get the money for it. So those are all the things. And if you hadn’t done MFA, John, and they did get your password for Amazon, and if you did use it for JetBlue, well, there you go. Now they’re in both.
John: Right. And like you said, if they’re able to just make smaller purchases, you mentioned the rice cooker, if I saw that in my email, “Thanks for your purchase of a rice cooker.” If I’m at work, I might just say, “Oh, maybe my wife purchased that.” And then I’d forget to ask her about it later on. And then it would probably be out of my mind. And the fact that it doesn’t come in the mail a few days later, I’d probably just forget about it. And so that’s the kind of thing that they’re hoping for.
How Thieves Use Computers to Perpetuate Scams
Steve: Yeah. And again, one of the tricks, one of the things that people always think of is it’s another person doing this when it’s a computer. It’s not hard for the bad guys to program the computer to look at your history. So if they’re in your JetBlue account, they can look at where you might travel. And so buying another trip to that city of Orlando, you might not notice it right away.
Or if you buy socks, it’s in your history in Amazon. The computer just parses your history, sees that you buy socks, buys more socks. So that can be insidious, and that always raises people’s eyebrows. Wait a minute. They would actually continue to purchase things that I’ve already purchased? Sure. They’re only interested in the monetary value. Maybe they turn around and sell it, maybe they return it for a credit and then they get a hold of the credit, there’s lots of things that they could do.
Ways to Implement Multi-Factor Authentication
John: Right, right. So you mentioned that you could do multi-factor authentication with your phone, set that up so that you have to get a text message or maybe it’s through an app on your phone or something like that. What are some of the different ways that multi-factor authentication can be implemented?
Steve: Yeah. There’s a lot of different ways you heard me mention key fobs and things like that, but that’s really more corporate. I probably wouldn’t talk too much about that, John. The big three, the first and foremost is texting. So almost everybody at this point, John, has a cell phone, and at this point they know how to send a text or receive a text.
So that’s the easiest, most accessible way to get MFA going. To use your example, if you were to go onto your Amazon website, one of the easiest ways to do it would be to just go into those security options, we use the letters, SMS text is a lot of times what you’ll see. But you want to get a text and then you give it your cell phone number. What will happen is the first Amazon, when you hit next and almost all of these websites, Jet Blue, Bank of America, any of them, corporate stuff as well, it’ll send you a text of six numbers. And it’ll ask you to input the six numbers that you received on your phone into it.
And when you input the correct six numbers, the numbers that they texted you, it will consider you now enrolled, is the word they use. You’ve now set up your MFA. And now it will just continue to do that every time you log in. So every time you log in, it’s going to go, username, password as always, type in your username, or if it remembered it, type in your password. But when you hit next, instead of letting you into the site that you’re doing, it’s going to boom, the very next thing is going to happen is you’re going to get a text on your phone with six new numbers. And you’re going to get a page on the screen that says, “Please enter these numbers.” It’s at that point that I would mention that is where the hacker gets stopped in his tracks, his or her tracks.
They do not have the ability to put the six numbers into the field that you do because you got the text. So text is the easiest, most accessible method. The second one is what we call, you’ll hear an app. And that’ll be the choice in most websites is an app. When we say app, the most prevalent one, because Google is one of the largest, most ubiquitous services on the planet, Google Authenticator is the one that many people use. It’s free, it’s in both the iPhone store and it’s in the Google Play store for Samsung devices. And if you don’t have one of those two cell phones, there’s a store with options for that as well. But you would download the Google Authenticator, it’s free, and basically you’re going to associate the application with it on the website.
And the website, Amazon, Bank of America, all of these ones, they’ll prompt you through those choices. And many people who might be listening to this will be like, “Oh, I’ve done that before.” But for those of you who haven’t, you’re going to open up the app on the phone and you’re going to hit the button that says, “I want to add a new account.” And on the screen where you’re doing it in Amazon, they’re going to show what’s called a QR code. It’s a little square box with a lot of squiggles in it. And basically the app will scan that and it will put the account into the phone. You’re basically just replacing text with the app generating the six digit number for you. There are just some advantages to that, some people find it to be more secure. The industry argues that it’s a little more secure to use the app.
It’s also just easier. The app will just alert you on your phone. In many cases, we call push. The real advantage to doing the app is for what’s called push, where when the notification comes, you can just hit the button with your thumb and it will just let you into the website. The goal for that, John, people always come back and they go, “It’s kind of annoying.” Yeah, it is. It is. The rule that we always say out loud is, if it’s easy for you, it’s easy for the bad guys. And if it’s hard for you, it’s also hard for bad guys. That’s the rule that we all follow. So we are in fact, as IT people going, yeah, we’re going to make it painful for you, we’re going to make it more difficult. Our goal is to make it difficult for the bad team.
Why You Should Be Willing to Use Multi-Factor Authentication
John: Yeah. So that’s an important thing to remember, that, “Okay, I might not want to do this because every time I log into Amazon, now I have to get a text and then they have to put in this code. And isn’t that really a pain?” But if I really think, “Okay, by just doing this one thing that’s one extra little step, I’m making it way harder for, like you said, a bad person to get in there and access my account.” I might be willing to say, “All right, I can put up with the extra 10, 15 seconds that it’s going to take me to log into my Amazon account in order to authenticate myself.”
Steve: Yeah. A lot of security, John, is both trying to find a way to make it as painless as possible for the user, but we are making things more difficult. In the security industry, we call it pushback. We’re getting pushback from doing the changes that we need to make. So whenever we do this for a company, there’s always, “Wait, you’re going to make our password? Ah.” I’ve actually had company presidents say to me, “Well, I want you to make password changes for everybody but not me.” And I have to tell them, “Listen, I know you’re the owner and I work for you, you’re a payer, but security doesn’t have exceptions.
There’re no exceptions in security, we’re either protecting everybody in the company or it’s not worth doing.” So we call that pushback. “Ah, now I have to also get this code when I log in?” So in security, one of the things we try to do is just like what you and I are doing right now, John, just explain why. Explain what the threat is and what you’re protecting against. And when you do that effectively, then the people themselves, exactly just like you did, John, they go, “Okay, you know what? I get that. I get that I need to do this because I don’t want someone hacking in and getting my credit card info and then going off and using that somewhere else.”
Why Everyone Needs to Play a Role in Corporate Cybersecurity
John: Right, right. I think I’ve heard that phrase, if you’re hiking together in a group, you’re only as fast as the slowest member of the group. Or in this case, maybe you’re only as safe as the least safe person at your company. So if you’re the boss and you’re still using the password that’s ABC1234 or something like that, and everybody else has to have long passwords with capital letters and symbols or whatever, you’re not doing yourself any favors, you’re leaving vulnerability out there.
Steve: Yeah, absolutely. For a lot of companies and a lot of what we do at PCG, a lot of it, John, is really doing the Office 365. So almost all the companies now use Office 365 for their email and their messaging collaboration, data saving and things like that. G Suite for Google mail is also a big one in corporations. So if you have 12 people and if you’re a small company, you have 12 people in your company and you’ve gone and turned on MFA for 11 people who have gone and configured their multi-factor authentication for them to log into their mail, 11 of them. And that’s great. If any one of those 11 people falls for a phishing scam, they get an email in their mailbox that says, “Hey, you need to sign in here.” And it’s a fake site and they click the link cause they don’t know any better and they’re busy and they’ve got things to do. And maybe it’s got scary text in it. “Your bill is going to expire, your website’s going to go down, we’re going to close your mailbox.”
So it scares them and they fall for it. They haven’t actually fallen for anything because they have the multifactor turned on. And the bad guy, even though they got their Office 65 password, can’t log into the site or run scripts against it. But I purposely made it 11, not 12. If that one person in the company doesn’t turn on their MFA or we don’t enforce it so that they turn it on and they fall for the phishing scam, well, now the bad person is in their mailbox.
Not only are they in their mailbox, but they have access to email, they have the global address list. They have access to email the other 11 people in the company. And they can actually push a phishing scam to them or maybe some other weapon. Again, the MFA will protect them, but there are other ways of maybe hacking in or getting info from them. Again, just like you said, by having one person ignore the security restrictions… that’s put everybody else at risk, even though the other people were doing the right thing.
How Can You Make Multi-Factor Authentication Easier?
John: Right. So are there any ways to make multifactor authentication easier? Certainly you mentioned the texting and apps like the Google Authenticator. Are there other things that can make it easier for people and maybe make them more likely to use multifactor?
Steve: Yeah. So easier, I don’t know if there are much easier options. There’s no taking out the fact that you need a device of some kind. And there’s no removing, John, the fact that you’re adding a step. So whereas there was one step to get into your JetBlue account, your username and password, and maybe you hadn’t remembered, now there’s two steps.
But the biggest thing I would say, is becoming familiar with the process and really buying into it. I tell people this in my security seminars all the time, your company is paying me to come and talk to you about this so I’m going to focus on the company’s needs. But really the company’s needs are that you are secure, not only when you’re at work, but in your home life as well. Because if you get compromised at home, your bank accounts, your mortgage pay, whatever they’re doing, you’re actually not effective to the company either. You’re going to have to take time out, you’re in trouble, you’ve got drama. So I try to get across to people that the goal is to buy in.
The more you buy in and the more you learn, “Well, I’m going to adopt Google authenticator. It’s easy to use.” And once you start doing your first one, and really the first one is the most difficult one, because you’re really driving your process, or we’re making you. So for companies, again, this is the plug, John, you can hire a PCG and we’ll help you do the corporate ones.
The Office 365, maybe your Windows desktops, plenty of third-party apps like Salesforce and other things have multi factor and we can help you implement that. But for home life, we can’t do that. People need to just embrace it. And when you embrace it, that’s really what makes it easier. “Oh, so I get that.” And I actually have people who’ve come back to me after I talked about this a couple months later, and they’re like, “Steve, now if I go to Etsy or eBay or whatever and they don’t have an MFA option, I’m mad. I don’t feel safe anymore.”
John: Interesting.
Steve: And I’m like, “That’s the attitude. That’s the correct approach. And that’s when it’s easier. I don’t know if IT, John, can really just make the step easier, we do the best we can. But the best thing we do is to try and teach and explain why, so that the third step becomes normal.
Multi-Factor Authentication on Known Devices
John: Right. Yeah. One final question, Steve, sometimes if I turn on multi factor authentication on my bank site or Amazon or something like that, sometimes there’ll be an option that will say, “Remember me on this computer.” And I think it puts a little cookie on my browser or something. So that next time I go to log into one of those sites, it’ll recognize that I’m on a computer that it recognizes, and it will let me in without having to do that multifactor authentication. Is that safe, or should I leave that option turned off?
Steve: So it is safe. I don’t really generally dissuade people away from it. I would tell you that I never do it. But then in my job as security and a number of accounts and websites that I log into, I always say no to that. But I don’t dissuade other people, that’s fine if you want to tell your Chrome browser to remember how to get into your Office 365, as long as we know that you have a strong password and that you have MFA turned on, that’s okay.
What I would tell you though is that you’re basically deferring the protection level to someplace else. The easiest way to describe what I mean by that is your cell phone. So if you tell the app that you’re using to remember your login so that you don’t have to log in again, well then you need to make sure that you have a very secure screen on your phone. So when you put the phone down on the bar and you go to the bathroom and you forget to bring it with you, and maybe somebody steals it, or you drop it on a bus.
You get the idea, you need the protection to be somewhere. If the website is going to allow, or the app is going to allow you into the thing you want to go in, then you need to make sure that they can’t get to that at all. So then you need to have a secure home screen. IPhones are a little better at this than Samsung is. iPhones have really in the last couple of years, really pushed the, “We’re not going to let you not have a lock screen.”
And good for them, that’s the correct way to do it. Samsung is a little looser. The options are there, they just don’t really force the user to use them as maybe they should. But you need to put the security somewhere else. So laptop or home desktop. So I don’t really have a problem with your home desktop because you’re locking the door to your house, because you see where I’m going with that, John.
John: Right.
Steve: The PC is locked inside and maybe you leave it off or whatever, and you have a firewall on your network. There’s some complex answers to that question, but what you’re really aiming for is, well, that’s fine if you’re doing that, but have a good idea in your head of where the security is. If it’s not that you told the website to remember what you’re doing. If you have your laptop, your laptop is always with you. Does your laptop have a strong password when you log into it? So if you leave it on the bus, can they get into your laptop? Make sure that they can’t, because if you saved your login credentials across all the websites and apps on your laptop, but you left the laptop with no password, that’s not good. And that’s how I answer that question.
Contact PCG to Learn More About Securing Your Technology
John: All right. Well, that’s really great information, Steve. Thanks again for speaking with me today.
Steve: Oh, it was great, John. Thanks for having me.
John: And for more information, you can visit the PCG website at pcgit.com or call 603-431-4121.