MFA: Another lock in the cybersecurity door

Key Takeaways

As you “See Yourself in Cyber," it is important to see the role you fulfill as you protect both your work and personal accounts. CISA and NCA have developed several valuable resources and educational material that will assist you in this cyber journey.

Of utmost importance is implementing tools and best practice that include Multi-Factor Authentication (MFA) and strong passwords.

MFA

The term MFA is used quite often, but for some it can be a foreign concept. Often referred to as two-factor authentication or two-step verification, MFA is an account login method that requires you to prove your identity by several means. Generally, you will enter your username (or email) and a password; then you will prove you are by either providing your fingerprint, or by responding to a text message.

This extra security step can be accomplished through a variety of options. The most common include:

• Inputting an extra PIN (personal identification number) as well as your password
• The answer to an extra security question like “What is your mother’s maiden name?”
• A code sent to your email or texted to your device that you must enter within a short span of time
• Biometric identifiers like facial recognition or fingerprint scan
• An additional code either emailed to an account or texted to a mobile number
• A secure token – a separate piece of physical hardware, like a key fob, that verifies a person’s identity with a database or system

One may ask “why implement this extra step”.

Many organizations and counties already have this extra security measure in place for your email and other online applications. If not, you should be asking your manager or IT support why MFA is not being used to protect your work accounts. It may be in the roadmap, or it might be because of the cost. Whatever the reason, it is vital that you support this direction and encourage those that oversee the work technology environment to put such measures in place.

For personal, at a minimum you should have MFA implemented on accounts such as banking, retirement, personal email, social media, credit card, mortgage accounts, etc. Wherever, you have personal or financial data, is where you should have MFA in place.

Passwords

The next step in this journey is to use strong passwords. Passwords have been around for decades and are an integral piece of the shield that protects your digital assets. There are three critical components to a strong password:

• Length – a password, whether for your work account or your personal accounts, should be at least 12 characters in length.
• Complexity – a combination of upper- and lower-case letters, along with numbers and special characters make for a much stronger password, than say “Password123”!
• Uniqueness – none of your passwords should look alike. Each of your online accounts should be a different password (and not just by adding the number “2” at the end). Further, never use the same password or similar password for both work and personal accounts.

How often you change passwords has been up for discussion for quite some time and will most likely continue to be a topic with varying opinions. Prior guidance was that you change those passwords every so often. However, the reality is that it becomes quite cumbersome to do that. Recent guidance from the National Institute for Standards in Technology (NIST) now states that you should only change those passwords if you receive notice or suspect that your accounts have been compromised.

Since our online lives have become quite prolific and the number of online accounts we have is continuing to grow, there are options for password management. I would encourage you to take a look at the following. Apart from your not having to remember all those passwords, password management solutions are encrypted, require MFA to get into and are designed that the product’s company does not have access to your passwords. Based on your personal needs or what your organization may provide, any one of these can fill that need.

• Keeper
• Bitwarden
• 1Password 
• NordPass 
• LastPass

NACo encourages you to share this knowledge with your IT support, your employees and your family and friends!

Resources

Multi-Factor Authentication - National Cybersecurity Alliance

Passwords - National Cybersecurity Alliance

NIST Special Publication 800-63B

Password Managers - National Cybersecurity Alliance