My name is Dave Hatter and I'm a cybersecurity consultant with Intrust IT. I'm excited to be here on behalf of my friends from HCM today to talk about a very important cybersecurity topic, in this particular case, multi-factor authentication, also known as MFA. Chances are, you may have heard nerds like me talk about MFA, and it's also important in the world of cybersecurity to understand that sometimes things go by different names.
You may also hear multi-factor authentication referred to as two factor authentication or two-step verification. And sometimes you might see it written as MFA or the number 2FA, as you can see on the screen there. To the layman, they all more or less mean the same thing, and what it really boils down to us before you're able to log into a site where multi-factor authentication has been enabled, you're required to produce additional information above and beyond your credentials, or your username or password.
When you heard nerds like me talk about credentials, it's your username and password. The reason why multifactor authentication is so important is because Microsoft and Google based on testing billions of log-ins, and billions, if not trillions of signals with their sites have shown that multi-factor authentication will block about 99% of all automated attacks.
This isn't nerdy, old Dave Hatter telling you this, this is Microsoft and Google, two of the tech titans, two of the folks that have the largest platforms in the world with literally millions of users, based on actual real world experience, seeing how multifactor authentication is blocking active attacks.
What does it really mean? It's really pretty simple. You got to log into a site, you enter your credentials, your username or password, and assuming this site recognizes your username and the password matches what they have on record for you. You're in.
With multi-factor authentication. There's a second step. You log in, it recognizes your credentials and it says, whoa, wait a minute, before we're going to let you in we're going to send you what's known as a one-time passcode or password, OTP. Typically this is a six digit number and it's only good for somewhere between 15 to 30 seconds. This may vary a little bit from one site to another, but that's the general parameters around it.
So that one-time passcode will be sent to you. And you will have a limited period of time, typically 30 seconds, to supply that one-time passcode. The one-time passcode might be delivered to you in a variety of different ways, but the two most common and the two most useful for the average person is either when you sign up for multi-factor authentication, which will need to be enabled on a side-by-side basis, you supply your cell phone number, and then that one-time passcode is sent via text.
Chances are, for your bank account, for your insurance, or your health insurance, you may have already experienced this without even really understanding what it's called and perhaps not realizing that you can enable this on other sites and ideally enable it everywhere that you can.
You go to login, enter your credentials, and then you get a text to the phone number on file with a one-time passcode. You have a limited amount of time to enter that, and if you don't enter it within that period of time, you'll have to have it resend you a new passcode.
The second most common option is to use what's known as an authenticator app. This is an app you would install on your phone for each site where you have multifactor authentication enabled. You would go to that site, typically we'd get a QR code, that weird square barcode looking thing. You take a picture of it with your phone inside the authenticator app, and that synchronizes the authenticator app to that website.
For example, if you went to the facebook website, you turned on MFA and he used an authenticator app like Authy, which I've referenced there in the bullets, you would take a picture that QR code with Authy, and that would synchronize your instance of Authy on your phone to facebook. And then every time you log in, you don't get a text, you actually open up Authy and you pick Facebook, and it gives you that code.
Any version of multi-factor authentication is better than none because once MFA has enabled, even if a bad guy can get your credentials, either they can guess your username and password, they crack your username and password, they buy your username and password off a list off the dark web, they still can't access your account because they're prompted for that one-time passcode, which is going to your phone.
Again, any multifactor authentication is better than none. An authenticator app is the best mechanism because with a text-based one-time passcode, it is possible, it's unlikely, but it is possible for the bad guys to be able to access your text. They can do something called sim jacking or sim swapping to swap your phone number to a different phone and get those texts. It's very secure, but it's not as secure as authenticator app. With an authenticator app, the bad guys would literally physically have to take possession of your phone, they would have to be able to unlock your phone and they would have to have access to that app to use it. I would recommend for most people using an authenticator app. Authy as a well-known authenticator app, you've got LastPass Authenticator. Microsoft makes an authenticator. Google makes an authenticator.
There are several out there, but any MFA is better than none. I'm going to go along with Microsoft and Google and tell you this literally is one of the simplest, easiest, and in almost every case, free things you can do to make yourself a much harder target. If you don't do anything else in the realm of cybersecurity, turn on multifactor authentication on every website that will allow you to do it. Use an authenticator app to kick it up to the next level.
And you can see in one of the bullets I have there, if you want more information about multi-factor authentication or two factor authentication, you can visit twofactorauth.org. It's a great resource, a lot of tips, a lot of information that will help you figure out how to implement multifactor authentication.
Do it today, turn it on everywhere you can. You will make yourself, your family, and your organization much more secure.
Thank you very much. I hope that helps. And if you do have questions, you're more than welcome to look me up on Twitter or LinkedIn. I'm easy to find, Dave Hatter, and I'll be happy to try to provide additional advice.
Thank you very much and have a great day.