“Something you know” is a password for a website or a code for your entrance door. When it is used alone, it is considered the weakest protection. Password hashes are regularly leaked, sniffed, guessed (0.8 million LinkedIn subscribers used the password “123456” at a given point), brute-forced, or “shoulder surfed” - just follow any major public company hack disclosures. In other words, passwords can be obtained with a relatively low level of effort.
“Something you have” is a physical item - a badge for building access, a token, or a physical key. Or a mobile phone - I am talking about a phone as a device in your hands and not a phone number. Financial institutions opted for “something you have” by sending a verification to your device.
“Something you are” is your true biological identity. Fingerprints, palm scans, face recognition, vein layouts, iris scans, and retina scans can represent you as an individual. Biometrics are very hard to replicate. TSA Pre-check (fingerprint enrollment), Prometric exam centers (palm scan), and CLEAR (iris scan) are familiar examples of “something you are” authentication types.
When we combine “something you know” with “something you have,” we use MFA. The math is simple: the likelihood of compromise is the probability of obtaining the password multiplied by the probability of using your physical token, key, or phone. Not impossible, but it is not trivial.
Some reputable vendors even say MFA prevents 99% of account attacks. I am a bit skeptical about this claim after witnessing an extreme takeover of an MFA-protected account. However, one thing is apparent - the second factor of authentication substantially improves access.
Okay, what are the next practical steps?
- First, protect your main email with MFA (2FA, Strong Authentication, OTP, “authenticator” or whatever term your email provider uses for an additional factor of authentication). Your main email is the gate for password recovery for your other accounts. When a bad actor owns your main email, then they own it all.
- The MFA option is typically in the "settings" for the account in a "security" section.
- Prefer “authenticator” over “phone verification,” if there is an option. Phone numbers can be compromised. Use any authenticator you like - from Google or Microsoft. It's a small app that generates a code and compares it with the server side.
- It is okay to "remember your device" when prompted. Pick 2-4 weeks to stay practical.
- Repeat this for all important digital access - all financial, health, social media.
- If you are new to this, it can get overwhelming initially, but with practice, it will become habitual.
It is the norm.
MFA is your friend.
Comments