Welcome to May!
This is a very busy time of year. As a class exits the college, many staff and faculty are concerning themselves with the new class coming in August. Others are preparing for summer projects and events. In the middle of this barely-controlled chaos, it would seem to be a bad idea to introduce something new to the community, but the Department of Information Security is undaunted.
Let’s talk about multi-factor or two-factor authentication. Multi-factor and two-factor authentication are terms for the same security measure – the requirement of more than just a username and password to access an account.
Weak and reused passwords are a common entry point for criminals to access your accounts, computers, and ultimately, even the college network. The goal of multi-factor (MFA) or two-factor (2FA) authentication is to make these weak and reused passwords useless to others.
Were you tricked into revealing your password through a phishing scam? Rest easy, your account is safe…if you are using MFA/2FA! That’s the control that multi-factor authentication—also known as two-step verification or login approval—gives to you. And, it only takes about two minutes to set up and two seconds to use. That’s a lot of power for very little effort!
- How does it work? Once you’ve activated two-factor authentication on an account, whenever an account login with your password is submitted, an authorization check will come to your smartphone or other registered device. Without your approval or current code, a password thief can’t get into your account.
- How do I get MFA for my accounts? MFA is available now for your college Office 365 account (email, OneDrive, applications, etc.). You just have to request it by emailing firstname.lastname@example.org. It is available for many other accounts, for example Google, many social networks, iCloud and more. Each of these services handle the setup differently. Check out https://lockdownyourlogin.org for more information about specific sites.
- Is it difficult to set up and use? MFA is not difficult to set up, but requires a few steps. Using it typically requires only one more step after entering your username and password. You’ll install a mobile security app on your smartphone and use that to handle the authorization checks for accounts, or you could use the text/phone call method if you can’t install a mobile app. For international travelers, some mobile apps also generate a code so that a data or cellular service connection isn’t required for this second step.
- Can I adjust frequency of the MFA checks? This capability varies between different services, but in many cases, yes, although some accounts may require the verification for specific transactions or functions. You may want to have the extra verification every time you log in (e.g., personal website administration), or you might be comfortable requesting the verification only when an access attempt comes from a computer/device other than the one you originally permitted when you set up MFA—such as a personal email account you typically only check from one laptop and one smartphone.
- Which accounts should I protect with MFA? Why wouldn’t you protect all of them where it’s available? But, start with those that are most critical to your identity and livelihood. Here are some suggestions:
- Email accounts: “Forgot password” reset requests typically send instructions and links here, so protect this account to make sure you keep control of resetting your account passwords!
- Financial accounts: Protect your money!
- Social media accounts and website management accounts: Protect your reputation and/or brand!
- Online shopping accounts: Protect usage of your stored credit card information!
The college will begin requiring MFA for all users in the next few months. Avoid the rush and volunteer to have MFA enable on your account this summer. You will have access to an IT staff member or student worker to help you set it up. Just email email@example.com and request MFA for your account.
Check out this video for more information about MFA!
Stay tuned, there are more upcoming Information Security events this summer!