Avoiding extinction with MFA
My family and I have recently started a weekly dinner and a movie routine, where we base the dinner menu around the characters or premise of the movie. For us, we’re counting down to an upcoming family trip, but I’m hoping to keep up this fun routine even after our trip. The excitement of the kids picking an envelope as we all watch with excitement to see which movie we will be watching that week — and the same anticipation from mom and dad to see what type of food they will need to prepare in the coming days. Oh, the fun of family traditions… but now to the security part of this story.
This past week, one of the kids picked an envelope with “Jurassic World: Dominion” as the chosen movie. My mind quickly went to the menu that I now needed to pull together (cheesy raptor claws, dinosaur nuggets, maybe pterodactyl wings) but imagine my great surprise once we started watching the movie when I was able to have a great cyber chat with my kids — who are all getting more and more involved in the technology around them, like many other elementary and junior high students.
What is multi-factor authentication?
Jurassic World: Dominion and security? Sure. Dinosaurs escape fenced-in areas throughout the Jurassic Park franchise, but that isn’t the type of security I’m thinking of. Without causing any spoilers (I hope!), there is a scene in the movie where Ian Malcolm secretly gives his super-tech ID bracelet (think ID badge you wear on your wrist or if you have been to Walt Disney World lately, think of a Magic Band) to Dr. Ellie Sattler. Ellie and Dr. Alan Grant use that ID bracelet to enter the restricted area of the lab, where they end up stealing DNA, which leads to the terrifying, but thrilling, adventure that movies in the Jurassic Park series are known for.
The point is, with just the ID bracelet, they were able to access the part of the lab that was closed off to visitors. They weren’t asked to provide a fingerprint or a code along with swiping the ID bracelet (come on — even Disney requires your fingerprint after swiping a Magic Band!). And as a result, they were able to get in and steal Biosyn property.
In the cybersecurity world, we refer to this as the lack of multi-factor authentication (or sometimes two-step verification), also referred to as MFA. When only requiring one type of identification — in this case, the ID bracelet — the loss of that single source puts the items being protected at risk. If you add a second (or third, fourth, etc.) form of identification — such as a PIN, retinal scan or even answer to a question — you suddenly have multi-factor authentication and the loss of one form is not as risky as it was before.
How does multi-factor authentication work?
You likely already use multi-factor authentication in your daily life and didn’t quite realize it. When logging into your bank for mobile banking, for instance, you may input your user ID (or perhaps account number) and your password (or PIN). But if you are prompted because the site doesn’t recognize your device, this is a form of MFA. A registered device, such as a phone or personal computer, acts as your second form of authentication in this instance.
MFA is a layered approach to securing data or an application where a system requires a user to present two or more credentials to verify its identity. These credentials fall into one of three different categories:
- Something you know – such as a password or answer to a personal security question
- Something you have – such as a physical device, hardware token, ID badge or responding to an app on your mobile phone
- Something you are – such as a fingerprint or retina scan
In the case of mobile banking, the registered device falls into the “something you have” category.
It’s important to understand, though, that simply a combination of verifications does not constitute multi-factor authentication. That combination needs to include items from different categories. So, inputting a password and answering a security question doesn’t typically qualify as multi-factor authentication, as they both count as “something you know.” Inputting a password and then being prompted for a unique code that is displaying in an app on your phone qualifies as multi-factor authentication, as they cover “something you know” and “something you have” categories respectively.
Types of multi-factor authentication
While there are multiple types of multi-factor authentication, some of the most common ones include adding one of these to a password or PIN for an account:
- Push notification through a recognized authentication app
- One-time password (unique code that is displayed for you to use once and is only available to you through a method of communication that is unique to you, such as an email account, SMS message to your phone or through your mobile app)
- Two-factor token (physical token that you either plug in or pull a code off of)
- Biometrics (such as a fingerprint, facial verification or retina scan)
So, why is this important? If Biosyn required facial verification after using the ID badge, Ellie and Alan wouldn’t have gotten into the restricted part of the lab. If a bad actor steals your username and password, they can’t advance in systems where they also need to enter a one-time code that was sent to your mobile phone.
MFA repetition is key
Many systems are now offering their users MFA. While the first few times may feel like an extra step in the process, the reality is — the more you use it, the greater your muscle memory becomes, and it no longer feels like something extra. That small step to add an extra verification method can mean the difference between whether paleontologists can access your secret lab of insects or if they are stopped from advancing. Of course, in Jurassic World: Dominion, it worked in the good guys’ favor that the lab wasn’t using MFA. But let’s not flip the tables and make it the cyber criminals’ favor by not activating it when offered to us.
MFA is a basic digital security step to follow
Multi-factor authentication may sound difficult, but just like banking online, once you incorporate it into your digital life, it just becomes part of the process and can be one of the simplest and basic ways to ramp up your digital security. Remember — it’s easy to stay safe online… you just need to know what basic steps to incorporate.
If you decide to start the dinner and a movie tradition with your family (I highly recommend it! And I have plenty of movie menus to share if interested) start with Jurassic World: Dominion and have a chat about how MFA can keep others from impersonating you. What other movies do you think we should add to our schedule? Any other good movies that teach your family about cybersecurity topics?
Additional resources:
Read the first Cyber Chat post.