Have you ever worried about malicious cyber actors getting into your accounts? Us too.
The most common password in the country is still 123456. But maybe you’ve taken the time to come up with a password only you’ll know.... Are you sure, though? If someone can guess your password from looking at your Facebook page, you’re probably not as secure as you think.
And even if you have a complex password, and—extra points for a password manager!—unfortunately, malicious cyber actors still have ways of getting past your password.
Wouldn’t it be nice to make it MUCH MORE DIFFICULT for them? YOU CAN!!! You just need to add a second way of identifying yourself in your accounts.
What you need is …More Than a Password!!
You might be happy using only a password to access your online accounts, but malicious cyber actors are even more excited. Once they have your password, they’re in. And you know what happens once bad actors access your accounts… You’ll see your money—and possibly even your identity—walking away.
Let’s talk a minute about using a second method to verify your identity. First, it’s freely available and called multifactor authentication (MFA). It is also known as “two factor authentication” or “two step authentication.” Look for it under the security settings of your online account. Second, it only takes a minute or two to enable and a few seconds to use.
And now, a message from CISAJen:
MFA is a layered approach to securing your online accounts and the data they contain. When you enable MFA in your online services (like email), you must provide a combination of two or more authenticators to verify your identity before the service grants you access. Using MFA protects your account more than just using a username and password. Users who enable MFA are significantly less likely to get hacked, according to Microsoft. Why? Because even if a malicious cyber actor compromises one factor (like your password), they will be unable to meet the second authentication requirement, which ultimately stops them from gaining access to your accounts.
Whether you call it two factor authentication, multifactor authentication, two step authentication, MFA, or 2FA, you are using a combination of something you have, something you know, or something you are when confirming you are who you say you are online.
Your bank, your social media network, your school, your workplace… they want to make sure you are who you say you are, and—more importantly—they want to prevent unauthorized individuals from accessing your account and data.
So, online services are taking a step to double check. Instead of asking you just for something you know (e.g., a password)—which can be reused, more easily cracked, or stolen—they can verify it’s you by asking for another piece of information:
They’ll ask for something you know …. like a PIN number or a password, along with
- Something you have, like an authentication application or a confirmation text on your phone, or
- Something you are, like a fingerprint or face scan.
- Two steps are harder for a malicious actor to compromise. So, prove it’s you with two … two steps, that is.
Click the video below, and we’ll help you remember that! Warning: Earworm below!!!
Now that you know what it is, you’ll see prompts for multifactor authentication all over. So whenever available, be sure to opt in. Start with your email account, then financial services, then social media accounts, then online stores, and don’t forget your gaming and streaming entertainment services!
And if you don’t see a prompt for multifactor authentication on one of these accounts, send a note to each company asking them to enable the feature. After all, it’s your security at stake!
And here's a social media toolkit to help us spread the word!
Start by looking at the security settings on your most-used accounts. You may see options to enable MFA listed as “Two Factor Authentication,” “Multifactor Authentication,” or “Two Step Factor Authentication.” There are many ways you may be asked to provide a second form of authentication. Popular forms of MFA include text message (SMS) or voice, application-based MFA, and phishing-resistant MFA.
Not all MFA methods gives you the same level of protection. Some MFA types are better than others—phishing-resistant MFA is the standard all industry leaders should strive for, but any MFA is better than no MFA. You should still strive to implement stronger MFA to avoid being hacked.
- The only widely available phishing-resistant authentication is FIDO/WebAuthn authentication. CISA urges all organizations to start planning a move to FIDO because when a malicious cyber actor tricks a user into logging into a fake website, the FIDO protocol will block the attempt. See CISA Fact Sheet Implementing Phishing-Resistant MFA, CISAJen’s blogpost Next Level MFA: FIDO authentication, and the Fido Alliance’s How Fido Works for more information.
- If you can’t currently implement phishing-resistant MFA, consider using numbers matching MFA to block mobile push bombardment and SMS-based attacks. See CISA Fact Sheet Implementing Number Matching in MFA Applications for more information.
For additional information on recommended forms of MFA, see CISA’s MFA hierarchy graphic (figure 1 below), which sorts all the MFA types into tiers (strongest to weak).
Figure 1: MFA hierarchy
Implementing MFA makes it more difficult for a threat actor to gain access to information systems—such as remote access technology, email, and billing systems—even if passwords are compromised through phishing attacks or other means.
Malicious cyber actors are increasingly capable of phishing or harvesting passwords to gain unauthorized access. They take advantage of passwords you reused on other systems. MFA adds a strong protection against account takeover by greatly increasing the level of difficulty for bad actors.
Are you an organization that needs help getting started implementing MFA? Here’s a guide.
- Walk This Way to Enable MFA
- Multi-Factor Authentication Fact Sheet
- 4 Things You Can Do to Stay Cyber Safe
- Learn how to set up MFA for Microsoft Accounts
- Learn how to set up MFA for Facebook
- Learn how to set up MFA for Gmail
- Learn how to set up MFA for Apple ID
- CISA: Capacity Enhancement Guide for Organizations: Implementing Strong Authentication
- CISA: Implementing Phishing-Resistant MFA
- CISA: Implementing Number Matching in MFA Applications
- CISA: Next Level MFA: FIDO authentication
- Multi-Factor Authentication (MFA) - Glossary from NIST
- Google: Protect your account with 2-Step Verification - Computer - Google Account Help
- Apple: Two-factor authentication for Apple ID
- Microsoft: How to use two-step verification with your Microsoft account
- Yahoo: Add two-step verification for extra security | Yahoo Help - SLN5013
- AOL: Add two-step verification for extra security - AOL Help
- The FIDO Alliance