Multi-factor Authentication – What’s all the fuss about?
Everyone is talking about multi-factor authentication, or at least the Australian Defence Minister is. At the time of writing, Australia is experiencing a major cyber-attack. The target of this attack includes industry organisations and all levels of government. In response to the cyber-attack, the Defence Minister appeared on TV and repeated the usual things we should do to minimize the risk of cyber threats. These included making sure we update our software to the latest version and keeping our computers up-to-date with the latest “patches”. I started nodding off at this point but then she mentioned multi-factor authentication. This was something new and unexpected.
Her comment about multi-factor authentication reminded me of the emails ARLO had been sending to prompt me to setup multi-factor authentication with them. I happen to use ARLO security cameras at home and had been ignoring these emails for months.
Ok, so what is multi-factor authentication?
Multi-factor authentication is a way of “beefing up” how a person is verified before they are allowed to logon to a website. One example would be a bank’s website. Typically, you would be asked to enter your ID and password in order to log on. But there’s a problem with this. What happens if your password was stolen by a hacker? There a number of ways this could occur. One way would be if the hacker managed to access the bank’s database containing customer passwords and ID’s. The hacker could now impersonate you and log on to your bank account. Multi-factor authentication guards against this. With multi-factor authentication, a password is not enough to prove who you are. One common way how multi-factor authentication does this is by the bank sending you a “temporary login number”. This would be sent by text message after you entered your password. You would then enter this number into the website to login. So what’s happened here? The hacker may have your login details because they hacked the bank’s database, but they don’t have your mobile phone. This means they don’t have the “temporary login number” that was sent to you.
Multi-factor authentication in action
Now, using a mobile phone for multi-factor authentication isn’t a 100% guarantee, but it is way better to have it with a mobile phone than not having it at all. The reason why it’s not 100% is probably a topic for another post.
I think I’ll take the Australian Defence Minister’s advice and set aside some time and do some “cyber hygiene”, i.e. I’ll stop procrastinating and check the Internet services I use and get multi-factor authentication in place where it is offered. ARLO will be the 1st cab off the rank.