How do we prove who we are when we sign into a website or check our email?

We generally start with a username and a password. These are sometimes referred to as “Something you know.” Depending on the site’s requirements, our username is often our email address so there’s nothing all that private here. Anyone who can look up my email address (or has sent or received email from me) knows that. What about my password?

I have gone through a lot of offices and looked around people’s cubicles and found more than my share of passwords on a Post IT tab or tape on the back of a keyboard. Maybe you’re not one of “those people” but many people reuse their passwords for multiple sites. If you’re one of “these people” and a site you belong to is hacked, than probably all sites that have that password can be hacked to. (For more on this visit our companion article here).

A better answer is to also rely on “Something you are” or “Something you have”.

“Something you are” refers to your biology. Maybe your phone or your laptop allows you to log in with a facial image or your fingerprint. These are much harder to clone (although I tend to trust fingerprints more than facial recognition in this age of AI). Better still will be retinal scanners and DNA sequencers but those haven’t hit the mainstream yet.

The other answer, “Something you have” often relies on temporary knowledge given to only you. This usually comes in 2 forms:

1. When you log in to a site, a numeric token is emailed to your email address of record or sent by SMS or voice call to your cell phone. You need to then retrieve the code and enter it into the website. Usually these tokens are good for a reasonable length of time: from 15 minutes to 2 days before they expire. But what if you’re roaming in a different country with an e-SIM on your phone? Or what if your email account has too much latency to get the code to you in time? Try making a stock trade when you’re on vacation in Norway. Not that easy…
2. You can download an Authenticator app to your phone and then load in a QR Code supplied by the website at the time you open your account. When you go to log in, it will ask you for a rolling token from the app on your phone. By “rolling” we mean that the token will change every minute or so. There is a computer program that makes sure that the token on your phone at any given time is only known by the web site you are trying to connect to at that same time. For this option to work, you must have your smartphone with you but your smartphone does not need to have a network. There are many different authenticator apps but the most common are Google Authenticator and the Microsoft Authenticator.

Sample of the Google Authenticator app

Any 2 of these three factors are currently considered adequate proof that you are, well “YOU:”

1. Something you know;
2. Something you are;
3. Something you have;

The use of more than one of these factors is known as “2-Factor Authentication” (2FA) or more generally “Multi-Factor Authentication” (MFA).

With advances in AI this may change (for example deep fakes of voice prints or facial recognition is coming), but for now this is decent security. So how many businesses use MFA to authenticate their employees? According to JumpCloud, the number seems to depend on the size of the business:

• In companies with over 10,000 employees, compliance is about 87%;
• Smaller businesses with over 1,000 employees still report 78% compliance with MFA;
• Businesses with between 26 and 100 employees report 34% compliance;
• Only about a quarter of businesses with up to 25 employees use MFA.

Even then, 62% of users still write their passwords in notebooks or on other surfaces and keep them beside their computer.

Obstacles to MFA

What makes MFA so hard to implement and enforce? From our experience there are a number of factors:

1. Management doesn’t necessarily see the risk of not having MFA. Unless or until there has been a catastrophic breach, the day-to-day priorities will focus on serving customers and producing revenue–not minimizing cyber-risks. The growing drive for businesses to purchase cyber-insurance policies may help correct this risk calculus.
2. Management doesn’t support, encourage, monitor, and reward or enforce compliance. Sometimes this is because managers don’t see this as important, or they don’t have the skills or want to take the time to manage their teams accordingly. A gamified cyber-security training program can go a long way to helping employees get onboard with understand the risks and changing their behaviour.
3. Lack of software and training standards for employees. New employees should be given MFA and password training and have these skills evaluated as part of their probationary process. “Password Safes” is a type of software that securely stores and inserts login credentials for users when they need to access an online resource. Some of the most common “Safes” include Lastpass, Bitwarden, and Keeper. Password Safes are great ways to keep users from storing a myriad of passwords in a notebook beside their computer or in any other unsafe way.

If your interested in more information about Password Safe software or Cybertraining programs for your business, Atlas Solutions can help. Reach us here.