Oregon FBI Tech Tuesday: Building Digital Defense with Multi-Factor Authentication (MFA)
It sounds complicated—but multi-factor authentication—or MFA—really isn’t that difficult. In fact, you are probably already using it and just don’t realize it.
MFA is just a process that requires you to prove who you are in more than one way. Banks, utilities, social media platforms, and more are using this technology every day to protect your private data. Remember the last time you had to answer a challenge question to get into your account? Or you received a one-time PIN via text or email to confirm that it was really you who forgot your password and are now trying to reset it? That is multi-factor authentication.
There are three categories of credentials: something you know, something you have, and something you are. Let’s break that down.
- “Something you know” would be your password or a set PIN that you use to access an account. The PIN doesn’t typically change.
- “Something you have” would be a security token or app that provides a randomly-generated number that rotates frequently. The token provider confirms that you—and only you—could know what that number is. Also, “something you have” could include verification texts, emails, or calls that you must respond to before accessing an account.
- “Something you are” includes fingerprints, facial recognition, or voice recognition. Sounds a bit unnerving—but think about how you unlocked your smart phone this morning. You’ve probably used your prints or your face several times already today just to check your email.
Multi-factor authentication is required by some providers, but for others it is optional. If given the choice, it is in your best interest to take advantage of MFA whenever possible, but definitely when dealing with your most sensitive personal data. This includes your primary email account, your financial records, and your health records.
To make it easy, the U.S. Department of Homeland Security has gathered a list of links from all the major players to walk you through how to set up multi-factor authentication. The list includes the biggest banks, social media platforms, email providers, gaming sites, online health record providers, shopping sites, cloud storage companies, and more. You can get to it by going to https://stopthinkconnect.org/campaigns/lock-down-your-login
As always, if you have been victimized by a cyber fraud, be sure to report it to the FBI’s Internet Crime Complaint Center at www.IC3.gov or call your local FBI office.