October is Cybersecurity Awareness Month

This is the third of four October posts about cybersecurity. Today's focus is MFA/2FA - what is it and why it's important.

What is Multi-Factor (MFA) or Two-Factor Authentication (2FA)

We'll refer to MFA to include 2FA. MFA is a method used to ensure that the person logging in is the authorized user. It relies on the authorized user knowing or having something the hacker doesn't. Most MFA solutions involve sending a text to an enrolled smartphone. Other MFA solutions involve enrolling in an MFA app that displays a code for a set amount of time (usually 1 minute or less) and then refreshes with a new code. Some MFA solutions involve having an actual piece of hardware (usually a fob). Most people use SMS text for MFA because it's relatively user-friendly and relatively secure.

Use Multi-Factor (MFA) or Two-Factor Authentication (2FA) for Your important Accounts

An important account is one that holds confidential or private information. This includes financial and business accounts - your bank, your mortgage, your retirement account, your credit union, your credit card. This excludes things like your weather app that probably has no personal information about you other than what the app collects from your phone and your use of the app (such as searches).

Why MFA or 2FA?

In the event a hacker is able to crack your password, MFA/2FA adds another lock on the door to your accounts. Though MFA methods can be hacked and breached, it's far more difficult (as of today). Of course, that means you need to be wary of attacks via SMS text messaging that may appear to be MFA from a trusted source.

Set up MFA on all your important accounts and pay attention to what the real MFA prompts look like. Each organization, such as a bank, uses a method that will look familiar to you over time. That's the good news and the bad news. Once you become familiar with it, you may not examine it closely and you might respond to a fake MFA. How can you tell? The only MFA prompt you should respond to is the one you asked for as you logged in. Something that comes many minutes or hours later or completely unrelated to a log in should be considered suspect. Log directly into your account and change your password. If appropriate, alert the organization you received a scam MFA prompt so they can investigate.

Set Up Alerts on Your Important Accounts

To prevent fraud and abuse, you should also set up alerts on your important accounts. For example, for credit cards, set up an SMS text alert (or email or phone call, your choice) a) whenever any charge is made, b) whenever any new device logs into your account, and c) whenever any changes are made to the account such as a new email address or phone number. Hackers often use small charges to test the viability of a credit card, so if you set your alert limit to say, $50 and the hacker charges $2.13, you won't be notified. Setting the alert to any amount will alert you immediately if an important account is compromised. If that occurs, always call the phone number of the institution printed on the credit card or on their official website to report it immediately. Ask to suspend the account (or similar action) while you sort out what's going on. The sooner you notice a problem, the easier it (usually) is to fix.

And of course, I'm assuming you've done your homework and examined all your passwords to make sure they were strong and secure. If not, get busy! Stay safe.