Usernames and passwords can be guessed or even cracked by determined attackers. One of the best ways to help protect your account access is to use an additional authentication method other than a password. The additional method (also called a “factor”) we typically recommend is the use of a mobile application, such as Google Authenticator, Duo Security, and others.
When a user attempts to log in, they will be prompted for their username and password, plus a 6-digit pin number (usually). This pin number is a continually-changing key produced by the authenticator application on the smartphone that only the account owner has access to. Some authenticators (like Duo and the Microsoft Authenticator app) even offer a “push” notification to your smart phone for ease of use.
Google Authenticator Example Screen
If the account password is stolen, an attacker still will not be able to access the user’s account unless they also have the user’s smartphone. Enabling MFA is also usually even free! That’s what makes Multi-Factor Authentication so powerful and one of our most recommended fixes for organizations of all sizes.
A note on Text or SMS-based MFA: Some services offer the kind of MFA we spoke about above, but entirely over text message. We do NOT recommend this, as there are known vulnerabilities in which text messages can be intercepted. Additionally, in many cases, an attacker can convince a cell phone provider to change your service to their phone. For these reasons, we do not recommend using any text or SMS-based MFA methods (unless it is your only option), and instead, using the methods we spoke about above when available.
Enabling Two-Factor Authentication Solutions
Web Applications (selected)
- Enabling in Wordpress
- Enabling in Amazon Web Services
- Enabling in Dropbox
- Enabling in Box.com
- Enabling in Salesforce.com