Two Factor: The Gold Standard
Two Factor Authentication (or 2FA) has been treated as the gold standard for a while now, but it didn’t always mean a code from a text or an email. Before smartphones (and therefore a portable email inbox) were widely available, the second factor in 2FA was usually security questions. But websites ask for that too. So what part of it is supposed to make whatever account is under 2FA more secure?
Two Factor authentication uses things that you know and something you have. In today’s world, you have a phone that can be sent a code, and you know your password to the account.
Before that was widely available, banks and other such institutions might have used you having a valid ID or debit card with you knowing your social security number, your account number, or maybe even a security question you’d set up with them previously. This all makes it less likely that the unscrupulous grocery store manager that took your check uses it for nefarious purposes. He might have the account number for the check, but he doesn’t have an ID or the answer to the security question, so he doesn’t get access to your account. Even better, he’d have a really, really hard time getting either of those things without drawing suspicion. Great!
Surely, 2FA has SOME Weakness?
2FA is an excellent second layer of security for systems that may otherwise be pretty easy to brute-force into. In fact, Microsoft estimates that 2FA stops something between 95-99% of all brute force attacks! It can also act as a sort of warning system; if some website with 2FA enabled sends you a code, you know it’s time to change your password without your account actually getting breached. Not today!
Knowing all of this, you should also know that 2FA isn’t infallible, thanks to social engineering. Social engineering is a form of hack that manipulates people, instead of computers, to get information. Craigslist (a platform where people can buy and sell used items online) had to put out a notice telling people that they shouldn’t give any code they receive over text to a stranger. That’s why today, apps will tell you within the 2FA message that you shouldn’t be giving the code to anyone.
Administrators within the Microsoft tenant shouldn’t need to log directly into any one person’s account because they have administrative permissions. The same goes for support agents for software – legitimate agents of Microsoft may need your email, but they won’t ever need your 2-factor code. Your bank will never call to ask you for your 2-factor code. Nobody should be calling and asking for a code that you didn’t ask to receive, or ask for one over any support line.
Stay safe!
(If you want help setting up the security your business needs, get in touch: https://elixistechnology.com/contact/)
