Multi-factor Authentication: the Imperfect Tool You Need to Use

multi-factor authenticationDid you hear about the most recent hack? The systems of a major (retail/entertainment/medical/government/miscellaneous) company were stolen. The information was quickly put up for sale.

I decided to keep it generic, because let’s face it, between the time I’m writing this and you’re reading it, another major hack probably happened. As attorneys, securing your clients’ data had better be something that occupies your attention. Mostly because it means you’re a better person. But, even if that isn’t an issue, it is your ethical responsibility.

There is no way to guarantee that your data is completely safe. However, don’t let perfect be the enemy of good. Here’s why Multi-Factor Authentication is the imperfect tool you need to use:

What is multi-factor authentication?

Your password, regardless how complex it may be, has an inherent weakness: it’s your only line of defense. Once someone has figured out your password (and it better not be one of these), they’re in. Beyond being your only line of defense, passwords have one major weakness: you. Your password is likely easy to figure out, and you probably use the same one multiple times.

multi-factor authenticationMulti-factor authentication means that anyone seeking your information is going to need more than one thing. Generally, most multi-factor authentication systems rely on at least two things from three categories:

  • Something you know – like a password;
  • Something you have – like a keycard or a code sent to you remotely;
  • Something you are – biometric data, like your fingerprint or retinal ID.

One of the most popular methods of multi-factor authentication calls for you to enter your password, at which time you are sent a text message with a code. Upon receipt, you have a limited amount of time to enter that code, thereby proving that you are you. Other versions utilize an app. Of course, the popularly televised versions involve biometrics like the retinal scanner.

Regardless the method, adding another step beyond a password before accessing your accounts. Or, more importantly, your clients’ information.

Multi-factor authentication isn’t perfect.

Despite the added security obtained by multi-factor authentication, you need to remember that no solution is perfect. Why? Because you always need to remain vigilant. Make something idiot proof, someone will invent a better idiot.

Multi-factor authentication will protect you when someone else gets your password, but being casual with your personal information can still cause problems.

Social Engineering

Hacker Kevin Mitnick, the hacker who the federal government famously feared would be able to launch our nuclear arsenal by whistling into a phone, rarely “hacked” passwords in the way we may think of. In fact, his favorite tool for obtaining login information was what he called “Social Engineering.” I call it “acting dumb.”

multi-factor authentication

Mitnick would use company directories (often obtained through dumpster diving) and cold call people until he received someone’s credentials. The practice of social engineering is alive and well. Unfortunately, these days, we leave a lot more hints about our lives online. The same hints we use to protect our personal data in the event we lose our passwords. In fact, hackers recently obtained password information only after using social engineering to get cell phone information from Verizon. With the target’s cell phone, they were able to get into his Gmail account, and intercept the transmission of the code that the multi-factor authentication system sent.

The Forgetful Owner

Multi-factor authentication also requires you to have the ability to receive your code. Personally, I think the smartphone is probably the best available tool for multi-factor authentication, because I’m rarely without it. (And when I am without it, I start to get a little itchy.) However, there is always the risk that you’ll lose the ability to receive part of your authentication.

Or, you’ll get hacked, and forget your security code, like this guy.

Look, there are weaknesses in every system. To somehow believe that, by implementing multi-factor authentication, you’ve entered some worry-free state of existence is not just dumb. It’s dangerous. Regardless, even considering its weaknesses…

You need to use multi-factor authentication anyway.

That’s right. It’s imperfect. But like I said at the beginning: don’t make perfect the enemy of good. Multi-factor authentication is not perfect, but it’s damn good. And it’s a lot better than just having a password. Even if you don’t put all secured information into a multi-factor authentication system, there are definitely types of data that would benefit from added security.

You may not be able to prevent a data breach, but wouldn’t it be nice to be able to tell clients that, since the client information was behind a multi-factor authentication firewall, none of their information was stolen? How about telling your state ethics board that the breach wasn’t preventable. They’re much more likely to believe you if you tell them about your multi-factor authentication system.

In the end…

Nothing will make you completely secure. Nothing. However, there are certain steps we can all take to make sure that our important data is kept as safe as possible. For that important data, you’re best bet at the moment, short of going off-the-grid, Little Caesar’s style, is multi-factor authentication.

Images courtesy of:
Photo by posterize.

  • Paul McGuire

    Many companies that do two factor correctly have many different backup ways of logging in. So for example if you say “I can’t access that method” it will go to a different backup method. Many services let you print out backup keys to use in case you can’t access your phone or whatever you use for receiving codes, or have you set up a backup phone number to receive them on. They let you know very clearly that if you lose your backup keys and you can’t get in other ways you may not be able to access your account at all.

    Google and LastPass for example have backup code options when you set it up in the first place. If you can’t get into your Google account with the Authenticator app they let you receive a text and if that doesn’t work you can use a backup code. If that doesn’t work you just aren’t getting in, social engineering (acting stupid) or not. Those I think are the best way to go about it.

    Sadly some companies like Paypal make it easy to say “oops I lost the key” in which case setting it up doesn’t really help you all that much. Just something to consider because not all two factor setups are created equal.