In 2023, strong authentication, also called modern, is established as a basic protection practice for critical accounts, but what is it, how to do it well and how does it work?
Do you know the Aesop tale about the wolf and the kid goat? Having to leave her kid alone, the goat reminds him to only open the door if it’s her. She gives him a code phrase that the wolf hears. When the wolf pronounces this code, imitating the goat’s voice, the kid asks to show the white paw. The wolf leaves because he doesn’t have a white paw.
Authentication is about proving that I am who I say I am. My identity is my name or login ID. Authentication is based on what I know (a passphrase), what I am (my voice, my face, a white paw), what I have (a key or a phone). The kid, doubting the identity of his mother, asks in addition to the passphrase and the voice, to show the equivalent of a fingerprint. Aesop already reminds us that two sureties are better than one.
Not everything should be protected in the same way. Let’s compare with your house. You have a gate that faces the street, locked with a key, and then you have a key to enter the house. Then each room is closed with a door, which does not necessarily have a key. You protect your assets by adding different levels of protection. The most valuable things have the highest level, such as a safe box, in a locked office, behind the equally locked front door and gate.
It’s the same principle for your digital assets. Each account has a door, more or less secure depending on what’s behind it. You open these doors with a username and password , and if necessary a second security.
Your most valuable accounts
- Emails: it gives access to all other accounts, with retrieval of forgotten passwords or reception of authentication codes. Protect both professional and personal email accounts.
- Social media: You may use it to connect to other accounts or have access to a company profile. They contain lists of friends and represent you.
- Customer management: whether marketing by email or SMS, making appointments or CRM, these accounts have the personal data of your customers and must be protected according to the GDPR and Law 25 in Quebec.
These three types of accounts should have stronger protection than the others. On the one hand, a unique password, on the other hand a second method to prove that it is you who is connecting. This is strong authentication. Remember, all of these accounts are generally accessible from your phone, so it is important to protect your phone well .
Implement strong authentication
There are several options, some safer than others. Always choose the most secure one available in the application or solution. In order :
- Security key (such as Yubikey), which you connect to the USB port and keep with your keys.
- Biometrics: face or fingerprint recognition, often in an application on the phone.
- Authenticator app: 6-digit code in Microsoft Authenticator, Google Authenticator or button to click in the mobile app.
- Sending a code by email or SMS (not recommended).
Go to the security settings of the account you want to secure and enable the strong authentication option.
Be careful! If you lose your phone or uninstall the authenticator app, you may lose access to your account. You must therefore create an emergency solution, such as a break glass. If you lose your house keys, you can break the window to get in (or call a locksmith, but it’ll take a lot longer)
For your accounts, this means activating several strong authentication methods or printing backup codes. I wrote correctly: print … once you have obtained the codes, do not leave these codes in your computer. Print the form and keep it with your spare key with a trusted person or with your passports.
Since October 11, 2023, Google has implemented Keypass. No more passwords, no more applications, but automatic recognition of your device. It is very safe and you can use it instead of all these methods.
Is it really safe?
Yes, it is more secure to have strong authentication than not to have it! On the other hand, as we protect ourselves, cyber criminals innovate and find ways to defeat our protections. Here are two examples.
SIM-swapping involves spoofing your telephone number. A hacker could obtain the authentication code sent to your cell phone, so sending the code via SMS is not recommended.
In 2022, Uber fell victim to an attack called MFA fatigue. The attacker, a 16-year-old English boy, had the password of an Uber employee. He tried to connect and sent multiple requests to authenticate the connection. After a while, the employee clicked “accept”, and the young person entered the Uber account.
There are much more sophisticated attacks, but the majority of attacks are opportunistic and target doors that are open, improperly closed or with a key on the door.