Multifactor Authentication and why it is important

Many people are seeing more and more services requiring or suggesting the use of multifactor authentication (MFA) for accessing online systems. MFA is a login process that requires multiple methods of authentication to verify a user’s identity. It combines two or more independent credentials to verify a login.

  • The first credential is based on something the user knows. Typically, it requires the user to answer a personal security question. This can be in the form of a password, personal identification number (PIN), or a one-time password.
  • The second credential is based on something that only the user can access, such as their personal phone or tablet. Things like a badge, token, key fob, or even just your phone all would meet the requirement to be a credential here. One common method will send your phone a text with a code for you to enter before continuing while logging into the service.  
  • The third credential is something that is physically distinct for each user, also known as the inherence factor. Fingerprints, iris scans, or facial recognition are all examples, however, a third type is rare unless the data being accessed is highly sensitive. Although sometimes this type of verification will be used in place of the second type, very much like your phone’s ability to access secure content with your Face ID.

No matter the type of verification, multifactor authentication adds an extra, usually quick, step when logging into secure sites. This extra step adds a good deal of security to your accounts and great peace of mind.

Multifactor authentication is being used to help increase the security of your accounts and services that may potentially contain sensitive information. MFA helps validate that the person who is accessing the account is an authorized user. It adds another layer of defense for your account, making it harder for someone to gain unauthorized access. This additional layer of defense helps protect you against weak or stolen passwords. NordPass, a security and privacy-focused company, found that “123456”, “password” and “qwerty” are some of the most commonly used passwords in 2022. These types of common passwords are very easy to guess or crack, and just having MFA turned on for those accounts helps keep malicious people out of accounts.

In conclusion, while MFA may take a few extra seconds to verify your identity, the added layer of security makes it that much harder for cyber-criminals to access your private and sensitive data. By verifying your credentials using a method that is physically tied to your person, such as your phone or your Face ID, companies can ensure that your data is that much safer from prying eyes. Please feel free to contact your Computer Support Specialist if you have any questions.

OSU Service Account Password Change

Service accounts are generally an OSU email account that is bound to a department or office. These accounts can be used for a variety of things, but many are used for shared calendars or OneDrive folders. This way the account stays with the department if someone was to leave for a different department or OSU all together. Service accounts are not quite like our normal OKEY accounts. They are assigned to people to manage and aren’t managed by themselves. If you are assigned a service account, when you log into http://okey.okstate.edu/ you will see a “Service Accounts” button on the left-hand menu. If you don’t see that button it is likely you haven’t been assigned a service account, and if you are trying to take care of one you will need to find one of the owners. No matter what your service account is used for you will likely need to change the password sooner or later.

First, head on over to http://okey.okstate.edu/ and log in with your personal OKEY email address and password.

You will see an option on the left-hand menu for “Service Accounts”

Once you are there, you will see your service account in the list (you will likely only have one, but if you have more than one service account all of them will show up here.)

Under the service account you want to change the password click on the “Modify” button.

On the left-hand side, you will see the option to “Change Service Account Password” click.

From there you can choose one of the generated passwords or enter your own.

Once you have either chosen one of the passwords or entered your own choose save, and you will have changed your service account password!

Multi-factor Authentication

Multi-factor authentication (MFA) is sometimes referred to as two-factor authentication or 2FA. This is a security feature that requires you to present two types of credentials when logging in. These credentials can be something you know (a password for example), something you have (like a smartphone), or something you are (for example a fingerprint or voice recognition). Multi-factor authentication uses two of the three different types of credentials. As an example, when you log into your email account with your username and password, MFA would require you to enter a code that was sent to your phone. Another common example is after entering your username and password, you have a notification from an authentication app on your phone that asks you if you are trying to log in.

Multi-factor authentication adds an additional layer of security to your account. This makes it much more difficult for someone trying to break into your account. Not only would they need your password but they would also need access to your phone in order to get into the account! Many passwords are compromised every year and MFA helps prevent your accounts from being compromised!

Multi-Factor Authentication is becoming more common. Many websites offer it as a security setting that you would enable to activate. While some may see it as an annoyance or an additional obstacle, MFA adds an additional layer of security and should be considered for any website where you have sensitive information. This includes bank accounts, social media accounts and even shopping websites where you might have saved credit card information.

To verify your identity some websites allow you to set up MFA with a phone number that is used to receive a security code as a text message. This is definitely a positive step and is encouraged but text messages can be intercepted. Consider using an Authenticator app that can be installed on your smartphone and, when used, would generate a code that uses encrypted communication channel. This reduces the potential for compromise. For convenience, some Authenticator apps can be set up to provide a simple notification to either allow or deny a login attempt. Some examples of these kinds of apps are Duo, Authy, Google Authenticator, LastPass Authenticator, and Microsoft Authenticator.

More information can be found here:

  1. https://www.nist.gov/blogs/cybersecurity-insights/back-basics-whats-multi-factor-authentication-and-why-should-i-care
  2. https://support.microsoft.com/en-us/topic/what-is-multifactor-authentication-e5e39437-121c-be60-d123-eda06bddf661
  3. https://www.techradar.com/best/best-authenticator-apps

Password Safety

Passwords are keys to your online castle(s) such as: employer’s online resources, bank account, social media accounts, shopping sites, health records, and much more. Password safety is not something many people think about on a daily basis but passwords help keep your accounts secure and your digital identity safe. In this article, I explore best practices for password safety.

Password safety begins with strong passwords. You may see many different definitions of a strong password. Over time, we learn better practices to increase the security of a password. These include a password’s length, its uniqueness and randomness, and the feasibility of guessing a password.

Password Length

Let’s start with password length. Many sites require your password to have a minimum number of characters. Why? With each additional character added to the password length, you are exponentially increasing the number of possible combinations needed to crack your password. For someone nefariously trying to crack into your password with a password cracker program, a password with more characters could exceed the ability of the cracker program. The National Institute of Standards and Technology (NIST) recommends at least 8 characters but others suggest at least 12 characters for password length. Eight characters is a reasonably good minimum number of characters for your password but longer passwords are better.

Password: Unique and Random

Another part of a strong password is its uniqueness – not reusing the same password across several websites. This aspect is often overlooked but a unique password is one of the more important factors you should consider. Even the strongest password used over and over on many different websites becomes insecure: if a website is compromised and hackers have login data, your strong but not unique password is now available to the hackers. Once your password is compromised, instead of updating the password for the one site that was hacked, you would need to change the password on every site where you used that password!

Randomness plays an important role in the strength of a password as well. Randomness in your passwords makes them much harder to guess because you use less predictable words or characters. Some may use the names of friends, family, pets, or even the name of the service itself; others use birthdays or some variation of generic passwords like 12345, ‘qwerty’, or just exchanging a letter or two in ‘password’ with a similar symbol like ‘a’ to ‘@’. Let’s be honest: you are not making your password much more secure by using ‘P@ssW0rd’. An example that is less predictable would be something like TeaDriveCubeGlasses a password that I made using the passphrase model below.

Using a Base Password

The likelihood of a guessed password is combated by your password’s uniqueness and randomness. But, what if you use a base password and just change a few characters at the beginning or end of the password? Many websites provide a password strength meter to help determine the strength of a password. However, these meters cannot consider how many times that password has been used, or if your password is similar to another password you’ve used at a site. Using a base password with minor changes should be avoided. As in the previous examples, if your account is compromised on one website, your password and any variation of that password jeopardizes your accounts on other sites.

Using a Passphrase

One of the best ways to generate a password is by using a passphrase. A passphrase is a combination of the two words “password” and “phrase”. Using a passphrase as your password (1) helps you create a longer password which is much harder to crack by brute force and (2) allows the password to be more easily remembered. One of the most used examples of a passphrase comes from a comic strip called XKCD. They said the difficulty to remember the passphrase is as: “You’ve already memorized it.”

Password Manager

After you have a strong unique password, you will want a safe and secure way to remember it. Now, some people may have a fantastic memory for remembering hundreds of unique and random passwords, but not everyone is blessed with such a memory. Many people write down their passwords on a piece of paper, maybe an Excel sheet, or even a sticky note under their keyboard. This is another practice that is not very secure. So, you may be wondering how to remember all your long, random, unique passwords! The best course of action is a password manager: a tool that will store all your usernames and passwords for your accounts behind one username and password. This helps keep people without the credentials to your password manager from being able to find your password list and logging into your accounts. There are many different password managers out there including LastPass, Bitwarden, 1Password, and Dashlane to name a few.

Best Practices for Password Safety

Another piece of password safety is knowing when to change your password. Pay attention to news headlines about digital and online security and change your passwords when you become aware of a data breach with of service you use. Change your password – using the techniques described above – to a new, strong password and if you have any other account using the same password, change it too. If you provide an account password to someone, change it as well.

Multifactor authentication (MFA), or two-factor authentication as it is sometimes called, is a security feature that requires two forms of identification to log into an account. There are three different types of identification that can be used for multifactor authentication: something you know, something you have, or something on you. For example, MFA may use a password (something you know), a cell phone (something you have), or a fingerprint (something on you). The two forms of identification need to be different types to help strengthen the security of the account. In our examples, you couldn’t use a password and a pin number as both of those would fall under the “something you know” category but it could a password and a pin number sent as a text message to a mobile phone. Enabling MFA for your account adds another layer of security and helps if your password ever becomes breached: the hacker would need that second factor in order to access your account.

Contact Us

If you have questions related to material covered in this article, about cybersecurity or other IT security related topics, feel free to contact us.

Resource links

https://pages.nist.gov/800-63-3/sp800-63b.html

https://www.loginradius.com/blog/start-with-identity/nist-password-guidelines-2021/

https://www.cloudwards.net/how-to-set-up-a-strong-password/

https://cybernews.com/best-password-managers/how-to-create-a-strong-password/

https://searchsecurity.techtarget.com/definition/multifactor-authentication-MFA

Password and Account Protection

Online access provides you with incredible opportunities: check a bank statement, pay a mortgage, make a credit card payment, check a credit score, and order just about anything then have it delivered to your house! But each of these tasks requires you to login to a website or app, and keeping each account safe is of critical importance. A strong password for each account is fundamental.

Internet Security System

What makes a “strong” password? It begins with the password length: the longer the password the longer it takes for a hacker or hacker’s computer to guess or crack the password, and that time dramatically increases for each additional character or number. It is a balance, however, since a password that is too long may be difficult to remember (which defeats the purpose of a strong password). A good password length is 8-10 characters.

A common way to make strong passwords easy to remember is by using a passphrase. Using random words that don’t fit with each other helps increase the uniqueness of the password. This well known XKCD comic helps demonstrate a strong password:

Of the many password practices, several are things we really shouldn’t do. If you make a strong password but use it on every website, a breach of security on any of the websites could cause your password to be known and this weakens your password. Every password should be unique to the account and it should not be reused for another account. Another ill-conceived practice is using names of pets, people, or notable dates as a password. These are also easy to crack for a password cracker. In addition to not using names or dates, do not use the same base password then change a number or two at the end. This practice has the same problem as using the same password on each of these sites.

Finally, one other step you can take to secure your accounts is using multi-factor authentication (MFA). A common form of multi-factor authentication is two-factor authentication. Two-factor authentication increases the security by requiring two authentication factors: The first factor is usually a knowledge factor (the password that you know) and the second factor is a possession factor – something physical that you have such as an ID card, security token, or smartphone. In multi-factor authentication, a the third common factor is the inheritance factor (also known as the biometric factor). There are other authentication factors, such as location and time, but these are three of the most common. Having an account requiring two of these factors makes breaking into your account all that much harder as hackers since they would need two things from you, not just your password.

Oklahoma State University also has a two-factor authentication option for logging into all the websites that use your OKEY login. For more information see https://it.sp.okstate.edu/itservices/4help/guide.aspx?guideName=STW-IT_Duo_Setup_And_Use. Start your setup for Multi-factor Authentication at https://apps.okstate.edu/duo_portal.

Using Password Managers to Stay Safe Online

Whether it is posting in social media, reading email, banking, or any number of other things, if you are online, you will be using a password to access your account. Some people are really good about using secure password practices but many of us remember passwords by writing them down on a Post-It Note, using easy-to-guess passwords or reusing old passwords. These practices leave our accounts vulnerable in the cyber world. One thing that can help us keep our online accounts safe is a password manager.

Password managers do pretty much exactly as you would expect: they manage passwords. To get started, a “strong” password is created for the password manager then the password manager provides tools for creating and storing your passwords. The password manager creates unique and hard to guess passwords thereby increasing the security in the associated accounts. Along with the password, password managers keep login information for each website including the username or email address you use. So when you log into a website, like Facebook for example, it will remember your email and the password and automatically put both into their respective fields. It is critical to secure the computer that is entrusted with your password manager: a username and password should be required to get access to the computer!

Another benefit of password managers is to have your passwords available on multiple devices. Several password managers have an app for both IOS and Android so you can also have access to your passwords on your phone as well and the app can be shared across different computers too. If you have a laptop and desktop you will have access to the passwords in both places. If you lose your device you can just change the password of your password manager and the rest of your passwords will still be safe behind that new password. Some password managers will even allow you to remove a device from its list requiring that device to be logged back into with your password to your password manager.

There are many different password managers. Chrome, Firefox, Internet Explorer, and Edge all have built in password managers that work for storing password, but don’t offer some of the other features. A few other password managers offer better features and some have free versions.

  • Dashlane– Dashlane has some amazing features, like changing several passwords at once. However, the free version of Dashlane limits the password storage to 50 sets of credentials.
  • LastPass– The free edition of LastPass has unlimited devices, and even a security challenge that helps determine how secure you are with your online accounts.
  • Best Security: Keeper – Keeper also has some storage for files and documents that you want to keep safe. The limiting factor on the free version is that it is limited to a single device

References:

  • https://www.cnet.com/news/the-best-password-managers-directory/
  • https://www.tomsguide.com/us/best-password-managers,review-3785.html