Imagine separating digital security into two categories — there’s the simple username/password kind of entry, and then there’s multifactor authentication. If you’re somebody who hates remembering a bunch of passwords and security questions, you should brace yourself for a harsh reality check.
While most people can probably agree that remembering countless passwords is a stressful or even impossible requirement of having so much in our lives digitized, that’s not an excuse to be lax about technological security. Despite this, an estimated 54% of people use five or fewer passwords for all their online logins. That’s bad because if a hacker gains your username and password for your Facebook account, they now have access to your banking information, your insurance policy, and maybe even your tax records!
That’s why so many digital security experts will encourage you to use different passwords for every account. The even better option, if it’s available to you, is to use multifactor authentication, which refers to a combination of two or more different ways of proving your identity when you’re trying to gain access to something. Strictly speaking, multifactor authentication (sometimes referred to simply as MFA for short) can be used for much more than just online accounts. You might have to use it to unlock your smartphone or even enter a physical location.
The factors involved in authentication will vary, but most security situations require a combination of two or three that can be broken down into different categories. The names are fairly straightforward and self-explanatory:
The knowledge factor
This is something that you know (that is, you have to memorize it and remember it off the top of your head, unless your computer is programmed to save it). This includes a password, a personal identification number (PIN), or even security questions.
So if your online banking requires you to enter your password, then answer one of three rotating security questions, that platform is using multifactor authentication with two different knowledge factors. The same can be said of websites that send an ID number to your phone or email address to be entered after your password when you log on with a new device.
The possession factor
This is something you physically possess that you will have to use to access. The most obvious example is the key you use to get into your own home — yes, this is an authentication factor. You might not think of it as such because it’s not digital and it’s not paired with another authentication factor. But this is a physical factor you use to prove your identity.
In high-security environments, the physical factor used to gain entry to a physical location — such as a token, key, fob, or USB — might be paired with another authentication factor. You have to turn your key and enter your password, for example, or you have to slide your card and punch in a PIN.
The inheritance factor
This final factor for proving your identity is something that is an integral and characteristic part of you — for example, your fingerprint, your voice, or your face. In order to gain entry, maybe you need to put your hand up to a pad so the computer can analyze your fingerprints. Another example is your phone, which uses face recognition technology to unlock itself. Inherent factors are difficult for criminals to mimic unless they have a face that bears striking resemblance to yours or can believably mimic your voice.
How much safer is multifactor authentication when actually compared with just a simple password? Your security risk could be reduced by up to 99.9%! That’s because if a hacker guesses your password (and passwords are easy to guess if a person knows what they’re doing), they still need your fingerprint and your key, or they still need your face and your USB stick. There are multiple layers of defense that make it more difficult.
A Real Life Example
One recent national crisis where multifactor authentication would have made a huge difference was the hacking of the Colonial Pipeline in May 2021. This oil pipeline, which carries most of the country’s fuel supply from Texas to the southeastern states, was infiltrated by ransomware assailants known as Darkside. Using an inactive account not protected by multifactor authentication, Darkside overtook the computer managing the pipeline and held it hostage for a $4.4 million ransom.
Until the company paid the ransom in Bitcoin in exchange for a decryption tool, Colonial Pipeline Company had to put an immediate hold on all of its operations so the attack could be contained. This led to the Federal Motor Carrier Safety Administration’s declaration of emergency for 17 states and Washington, D.C., in an effort to keep supply lines open. The following month, the company’s CEO, Joseph Blount, testified before the U.S. Senate committee and acknowledged that this crisis could have been avoided if the pipeline had been protected by multifactor authentication.
As you can see, it’s a situation your company wants to avoid — if a hack can happen to a major pipeline, it can happen to you too!