Multifactor Authentication

Dave Hodgdon and Steve Ripper talk about multifactor authentication, what it is, and why it’s important for protecting your login accounts from password theft and phishing scams.

Mike: News/Talk 98.1 WTSN. Great to have you with us on the WTSN Morning Information Center, and we’re powered today by our good friends at Portsmouth Computer Group with convenient locations in Portsmouth and Dover now into Manchester and Portland, Maine. We’re joined by Dave Hodgdon and Steve Ripper who join us this morning here on Tech Tuesday, everybody.

Steve Ripper: Tech Tuesday, it’s here again. Good morning, Mike.

Mike: Today we’re going to talk about MFA. No, we’re not talking about a master of fine arts, although some people do have a master of fine arts. We’re talking about multifactor authentication and why it is important, why it is the security method of the future. All right, so we’ve been talking a little bit about it, the double check-in for emails and other websites and stuff like that. What is it and why do we need it, Steve?

Steve: We need it because they can get your password. We’ve talked about phishing examples here on the show so many times where they trick you into giving your username and password, whether it’s to Facebook, to Amazon, your bank account, your mortgage, your mortgage lender. Whatever it is, they’re going to trick you to get into your username and password. The industry’s response to this problem is multifactor authentication. They’ve gone and given us all these websites and these logins and these accounts that make our lives so much easier, but because they’ve done that, now everyone else can get at our stuff too. Multifactor authentication is a way to say that even if they get your password, they can’t log into your equipment because they don’t have your phone. If they don’t have your phone they still can’t get in, so that’s really what we’re talking about.

Mike: How do you set it up? What is it, actually, for people who don’t know what it is? I know when I log into my email here at work I log in with my password and then I have to have my phone because I’ve set it up from my phone to give me a code number, a six-digit code number that I put in. That’s my multifactor authentication.

Dave Hodgdon: Correct.

Steve: Mm-hmm.

Mike: Is it always that way? You always have to have your phone, it’s always sent to your phone, or how does that work?

Dave: It could be your regular landline, but typically having the cell phone is the easiest.

Steve: Yeah. We’re talking about having a second device that isn’t just your password.

Mike: Okay.

Steve: When we talk about it, and you’ll see some companies, if you do go to set this up you’ll see sometimes they call it two-factor. The terms are interchangeable, multifactor and two-factor. What they’re talking about is having a second thing besides your password. You have to type your password in, but you have a second device that also authenticates. The idea is that if someone has your password they don’t have the second thing. So yes, you do always need your phone, Mike, that’s true. There are mechanisms built into it that if you lose your phone, you can get around that. What you’ll do is when you go to set it up they’ll ask you for an alternate phone number so that they can call you so you can get into your email…because you’re going to get a new phone, right?

Mike: Right.

Steve: If you used a phone to set it up, you’re going to get a new one when you lose it. They have secondary methods to get by it.

Mike: Once you put in your password, for instance signing into your email, you’ll get a call on your landline or you’ll get a text message on your cell phone or anything else.

Steve: So, the call is least desirable.

Mike: Right.

Steve: The call is the least secure way of doing it.

Mike: Okay.

Steve: That’s just a way … Think of the calling as you have no other choice, you don’t have any other way of doing it. But really what we’re talking about is we’re always talking about either having a text, a number sent to the text, which is secure, and then you have what are called authentication programs: Google Authenticator, Microsoft Authenticator, Duo, Duo is the big third party in the industry that does this. An authenticator … The Google and Microsoft authenticators are downloadable on your phone, they’re free, you get them out of the store. What they do is that you can either have it give you the code automatically so they don’t have to text you, and that’s really useful if you don’t want to have to do…

If you have limited texts, if you have limited on your plan, you don’t want to have to have a text every time you log in. So, you can do the authenticator, or it can do what’s called a push. What a push means is that when you go to sign in it will just give you an alert on your phone and you can just hit accept.

Mike: Approve, yeah.

Steve: It just makes it fast, it’s just really quick to get in.

Mike: Got you.

Steve: Because it’s a pain.

Mike: Are there apps for this as well?

Dave: Oh, yeah.

Steve: Yes. That’s what these are. We’re talking about these are … They’re called authenticator apps.

Dave: I originally thought this was kind of like an inconvenience, Mike, but it’s really not. Once you do it a few times you start realizing, because with all of today’s passwords being compromised, you want a secondary way of proving it’s you. I just like to always give some simple examples.

In the old days when you went into your office it was just the key, but now you’re going in with the key or the key fob, but then when you get inside the building you have to put a code to disarm the alarm system, so it’s a secondary way to confirm it’s you getting in the system and if it’s not you then they will call you to confirm that’s you. I assume many of the listeners, the audience, has done something with their bank or their credit card and they’ve gotten some form of text back in their phone to confirm it’s them.

Steve: Yeah. What’s the rule, Dave? What’s the rule? If it’s difficult for you, if it’s uncomfortable for you, it’s difficult and uncomfortable for them.

Mike: That’s good to remember.

Dave: Yes.

Mike: When are we going to get to the point where we have to actually … They recognize your eyes. Like 007. Are we getting to that point?

Dave: Oh, absolutely.

Steve: Well, so, thumbprint on your phone…

Mike: There’s thumbprints, right. There’s face identification now.

Steve: Sure. And some of the companies will just build it in so you don’t even have to set it up. Gmail is like that. If you have Gmail on your phone and you have a Gmail account, when you go to login to the Gmail website it will just pop up in Gmail on your phone that just says, “Hey, did you just sign in?” And you say, “Yes.” That’s an example of a company building multifactor authentication in without even you setting it up, it’s kind of just built into it.

Mike: Yeah.

Steve: Other companies you have to set it up and I would implore everyone out there to do it on your Amazon account because Amazon is an easy place for people to go make purchases on your stuff, so they want to hack into your Amazon account. Amazon has multifactor, it uses Google authenticator, it uses text, whatever you want. What you’re looking for in a lot of these websites, banking, whatever, you’re looking for the security options, that’s where you’re going to go. If you’ve never done this before they will actually lead it for you, they’ll tell have instructions right in there. On Amazon you’re going to go to options, you’re going to go to security. Your bank account, you’re going to go to the security sections. Wherever that’s located, that’s where you’re looking.

Mike: It’s pretty easy, actually.

Steve: Yeah, it’s not that hard.

Dave: Yeah. Once you do it two or three times … It seems like it’s inconvenient. People are just, “I can’t believe you’re making me do this.” But our job as the IT provider is to make your data as secure as possible.

Mike: Yeah.

Dave: The bad actors want to hack your password and the most common one is your email. Today now with the Microsoft 365, MFA is a feature that’s free.

Mike: Oh, I was going to ask you if it was free.

Dave: It’s free. It’s built into the product. What it requires is some education and some training before you activate it, but here’s their product and, again, the bad actors want your email password because once they’re in, that’s a huge liability that they would have access to many other things.

Mike: Email is still the biggest target of these cyber criminals out there?

Steve: Oh sure, because it’s the one thing everybody reads all day long. You’re going to check your … Facebook is moving up on the list, they want to hack Facebook because they want the analytics. Instagram, LinkedIn, those are moving up, but email is still the one thing … Everyone has an email account. Everyone had an email account before they had a cell phone, so that’s the number one target.

Mike: You mentioned Facebook. How do you know about Facebook? Because obviously I’m getting things … I get to requests for friendships on Facebook of people I’m already friends with, so obviously they … Then they come back a day later and say I’ve been hacked, don’t accept my friend request. What happens if you do accept the friend request, what happens?

Steve: I don’t know what that does. I don’t know if the friend request is hacked, but what they’re really doing is they’re trying to sell you stuff, they’re trying to…spam within Facebook is when they’re sending messages in instant messenger, that’s what you’re watching out for.

Mike: Yeah.

Steve: But you’ve just got to be careful about that too. Have a strong password and then try to turn on this multifactor that we’re talking about, everywhere you go. I always tell people, like you heard me say Amazon, right? The real goal is that once you do one, you get used to grabbing your phone and you get it set up, and then what happens for most people is they go, “Well that wasn’t that hard.” And then it’s only a short leap to, “Why aren’t I doing that for everything? Why aren’t I doing that for my bank account?”

Dave: Right.

Steve: Because you feel more secure. You feel like you get it when you do it that, “Oh my God, now someone can’t hack me.” Once you feel that you’re like, “I need to do that for my bank account. I need to do that for my email. I need to do that for my Amazon.”

Mike: Yeah.

Steve: You get one under your belt.

Dave: I speak to a lot of our clients and you’re talking to them about the cloud, “Dave, I don’t want to go in the cloud.” And then I bring up, “Are you banking?” They go, “Yeah.” “Are you banking in the cloud? Are you logging in?” “Yeah.” “Are they authenticating it’s you when you do something?” “Yeah.”

Steve: You’re already there.

Dave: Then they start realizing, “Oh, I guess it’s not that bad because I’m authenticating that it’s me.” But I think probably 15% to 20% of our clients are on multifactor authentication, I think in the next two or three years it’s going to be 75% to 80%. I think it needs to be the norm.

Mike: I’m sure it will be the norm eventually.

Steve: This is the industries, the IT section of the industry.

Mike: Yeah.

Steve Ripper: This is their response to everyone getting hacked. This is the fix for it.

Mike: Yeah.

Steve: And more and more companies are going to start to say that when you go to set up an account you don’t have any choice. You’re not going to be able to set up an account without doing the multifactor.

Mike: Well that makes sense.

Steve: Most banking websites are hitting that right now.

Mike: That makes sense.

Dave: My tip of the day is any anything major do with your financials, your bank account, credit cards, major log-ins that people are sharing, Amazon. But your Microsoft 365 it’s email, almost everyone is moving that direction. Mike, get the multifactor authentication set up. PCG is your help. If you need some help we’ll do a training session, help educate you, and then turn it on and it will be a game changer because once you start using that, it’s a very simple process. As Steve said, you just … It’s a click.

Mike: All right.

Steve: This is also true for gaming, so any gamers out there listening or parents of kids that have gamers, a lot of these gaming websites also have multifactor built into it, you have to turn it on. A lot of money changes hands in these online video games.

Mike: That’s a good point.

Steve: Fortnite on Steam, the game stuff.

Dave: Yeah.

Steve: A lot of money-

Mike: Well now we’ve got legalized gambling and sports betting here.

Steve: We do. Sports betting and many of these gaming sites have these loot boxes that are basically gambling, so turn on the multifactor for that as well.

Dave: Because your kids have gotten their parents’ credit card.

Steve: Oh, yeah.

Dave: Now it’s up there, so think about that. Yeah, your kid in Fortnite, dialing up $50 a day.

Mike: Maybe I’ll ask my mom for her credit card.

Dave: Yeah.

Mike: Good idea.

Steve: Yeah.

Dave: That’s good stuff right there. MFA, multifactor authentication, and why it is the security method of the future. Thank you guys. Dave Hodgdon and Steve Ripper joining us from Portsmouth Computer Group. Always good to see you guys on Tech Tuesday.

Steve: Our pleasure.

Dave: Thank you, Mike.