4 minute read
Technolawgical
TECHNOLOGICAL
By Brad Catlin
Advertisement
Sometimes you choose greater security, and other time it is foisted upon you. And one way in which greater security is foisted upon you is when a login to a website forces you to type in a number that is commonly sent to you by text message. This can be an annoyance and a pain, but it is also an important step in protecting yourself. And you should take some steps to make this protection stronger, while also less of an annoyance.
This extra layer of authentication is called mutli-factor authentication (MFA), also known as two-factor authentication. A service that uses MFA grants you access only after you present two or more different type of authentication. The types of authentication fall into three main categories:
• Knowledge (something only you know, like your password);
• Possession (something only you have, like your phone); and
• Inherence (something only you are, like your fingerprint or face).
The code sent via text message is an example of using MFA: it combines Knowledge (your password) with Possession (your phone). Similarly, using a fingerprint scanner on a phone or computer combines Possession (your device) with Inherence (your fingerprint).
Security experts recommend that you use MFA wherever possible. And this is recommended because while it may e possible for a malicious actor to compromise one form of authentication, it will be more difficult for them to get two forms of authentication. For example, a password could get compromised in some company’s data breach. But if you use MFA, then that won’t let hackers access your accounts because they still won’t have your phone, fingerprint, etc. Indeed, Certain online providers, like banks, require that you use MFA in order to access their online services.
While only certain online companies require MFA, many allow you to opt into using it. This option can usually be found in the service’s security setting. If MFA is not turned on be default, then you should turn it on. This will force the service to use a second authentication factor when you attempt to log in.
If you consistently use MFA, then you run into two basic problems: (1) the default
MFA is not very secure, and (2) it isn’t as convenient. But each of these is a solved problem.
First, the default MFA for most services you will encounter is the text to your phone. The weak point in this form of security is your phone number, for an attacker can get it if they want to. This is accomplished most often through a hack called SIMswapping. A hacker SIM-swaps by calling your cell-phone provider, posing as you, and having the customer service representative give them a new SIM card for your phone. One they do this, all of your text messages will go to them, rather than you. This effectively bypasses this means of MFA, because now they have Possession, not you.
The way to combat this problem is to avoid it altogether by using a different method of authentication. And this can be accomplished by (1) an authenticator app or (2) a hardware device.
There are lots of high-quality authenticator apps: Google Authenticator, Authy, Microsoft Authenticator, and any good password management app (1Password, LastPass, DashLane, etc.). These apps generate random 6-digit codes every 30 seconds. This is linked to the security on the website, which means that the website does not need to transmit the code to you; you already have it. And these apps solve the convenience problem, too, as they will automatically fill that code in during your login process. This means no more looking at the code on your phone while typing it into your computer.
Another convenient alternative is a hardware device, such as a Yubikey. A Yubikey is a small device that fits on your key ring. It can then be plugged into your computer or placed near your phone and complete the second half of the MFA authentication. These devices cost less then $50 and are very easy to use.
My wish for your new year is that you use MFA wherever possible, and that you use an authenticator app or hardware device as your second form of authentication. Its easy, convenient, and makes your information a bit safer.
Brad Catlin is a member of the Indianapolis-based plaintiffs’ litigation firm, Price Waicukauski Joven & Catlin, LLC, and has a broad range of experience representing individuals and businesses seeking compensation in complex litigation. Most recently, Brad was a part of the trial team that obtained a $129 million federal jury verdict in a class action involving the unauthorized use of an existing right-of-way for commercial telecommunications purposes. His practice focuses primarily on complex and class action litigation, including professional malpractice, commercial disputes, antitrust claims, and trade secret claims. Brad is admitted to practice in the States of Indiana and Ohio. he is a native of Westfield, Indiana and attended Wabash College as an Honor Scholar. He graduated from Wabash cum laude with an A.B. in Political Science and obtained his law degree from the University of Notre Dame School of Law.
