Every week while I am reviewing the infosec news I read about more and bigger compromises of user account information. If users themselves are not falling for phishing attacks and entering their user name and passwords into bogus webpages, then their user name and passwords are being compromised when some company database gets hacked. The danger becomes much greater when we consider that most of us use just a few different passwords for all of our accounts. Savvy hackers could take advantage of this and clean you out before you even realized that your secrets had been compromised.
The easiest and most effective way that you personally can help protect yourself in this horrible online environment is to implement multi-factor authentication (MFA) for everything you access. This includes email, online banking, social media, online shopping and everything else that you can think of. And, believe me, I know what a pain it can be to always be hassling with MFA mechanisms! You often have to get a code from another device or carry a dongle with you. It takes time, and you keep having to do it over and over again. It gets old very quickly.
But wait! There are more problems involved than just the hassle of using MFA. Once you have implemented it, you also have to worry about being locked out of your account. Say for example you are trying to get a code to enter into your laptop but your phone is dead or out of range. You are left high and dry. Having at least two options for authentication can help you here.
Another thing to consider is the danger of using SMS for sending MFA authentication codes. The main weakness here is depending on the cell phone providers themselves. These providers are susceptible to the same weaknesses as the rest of us and are vulnerable to phishing, spoofing, malware and social engineering. Also, providers can be tricked into porting a phone number into a new device; a hack called SIM swapping.
There is a better alternative available in the form of authentication apps such as Google Authenticator. The advantage here is that to get a code, you are not relying on your carrier. The codes stay with the app, and hackers can’t get them even if they manage to move your number to a different phone.
Once again, you have to be careful that using MFA doesn’t cause you to be locked out of your own account. Google Authenticator provides you with a number of recovery codes when you first sign up that allow you to access your account if there is a problem. But these codes now need to be protected from hacker access. Make sure you have a good way to store these codes that hackers are not likely to be able to get at. If not, you have just lost all the security advantages you have just instituted.