Easily Block 99.9% of Password Hacks

According to Microsoft's research, enabling multi-factor authentication can block 99.9% of password hacks.

Often abbreviated as MFA or 2FA, multi-factor (a.k.a. two-factor) authentication requires two things to successfully log in:

• Something you know (a password)
• Something you have (a mobile app, USB key, one-time code, or SMS text)

With those two conditions, an attacker that obtains or guesses a password would still need the employee to approve the login via the app. As a bonus, the employee knows their password is compromised if they receive unexpected prompts, meaning someone else is logging in with it.

MFA can be used in many scenarios, including Windows login (sitting at the keyboard), Remote Desktop, Microsoft 365 services, and any web site that supports it. In fact, Microsoft and others are pushing for passwordless authentication, where the login is simply approved on the device. Google refers to MFA as "two-step verification" or 2SV, and started making it required it on all Google accounts in Q4 2021.

How does one use MFA? It is set up by the service/web site as they need to send the signal. Many send a code via SMS/text which is ubiquitous but subject to things like SIM swapping (someone convincing the phone company to transfer your number). Mobile apps are device specific, not phone number specific, and often allow for an allow/deny button instead of a numeric code.

ITS can help setting up MFA for your employee's network accounts, email accounts, or other places, just give us a call.

ITS recommends configuring MFA wherever possible. Even if you don't think it's necessary, if an attacker ever guesses your account password they can immediately set up MFA using a "burner" phone. This is a serious problem for any account dealing with money or allowing purchases, as the bank or service may not allow you to change passwords or even talk to customer service without MFA approval...which goes to the attacker's phone.

Do back up your phone or mobile device. Typically, MFA apps have a setting in the app to allow backups using the device's backup, such as iCloud, and require a recovery password or account sign in during restore/reactivation. This way when you replace your phone, the accounts in the MFA app can be easily restored.

Do not give up MFA codes to anyone over the phone. Hackers are known to make automated calls to trick people into giving up MFA codes.

 

January 2022

Send this article to a friend!
Subscribe to The ITS Connection

Related articles

• Does It Matter Which MFA App I Use?
• One Successful Phish Can Kill Your Business
• Return to article list