Looking at All the Factors
One of the things you (hopefully) don’t have to go through very often is selling your house. I am the type of person who needs to ensure that all the logistics involved in getting a house ready to put on the market are in place. And since I don’t do this often, I was not consciously aware of the changes that have happened in the technology that goes into selling a house. Recently I have had to jump into this area and was surprised by the differences in technology that exist since the last time I went through this process. I must say that it is nice to be able to see when someone accesses the property and when they leave, all driven by an app on a smartphone. Also, there are apps that allow the realtor to access the key for the front door through an app. This got me thinking about what factors go into verifying that the right person is requesting this access. From this train of thought, I revisited a topic that was discussed in the Wipfli 30 Tips in 30 Days for National Cyber Security Awareness Month (NCSAM) in October (see Tip# 22, Use Multifactor Authentication Wherever Possible).
What are the factors? Like having to say your name when asked “Who is it?” when knocking on someone’s door, there is a challenge and response to gain access to locations and information that creates a heightened sensitivity within you. After you answer the first challenge, someone may look through a slot in the door to know that you look like the person trying to gain access and match the name you provided. But this doesn’t work in all situations. For that reason, there are many ways to verify yourself. These include but are not limited to:
Something you know. By far the most frequently used authentication factor. This can be a response to a security question, a PIN, or a unique password.
Something you are. Often called biometric information, this is a fingerprint (like on current smartphones), retinal scan, speech recognition, or facial recognition, among other unique physical ways to identify yourself.
Something you have. We are seeing an increase in this area as smartphones are incorporating more mechanisms to assist with authentication (just beware of matching this with the next category). You can also have smartcards, hardware tokens (such as a YubiKey), or an RFID tag. There are some very affordable solutions you can easily access to add this layer of security to your arsenal.
Somewhere you are. As with always having a smartphone with you, you can use your location to prove your authenticity. Services like Google use this quite a bit. If you have ever been asked for additional proof when signing into something like your email because you are traveling or at a new place (like a coffee shop), you are being verified by location in addition to your other ways of authenticating.
Something you do. This newer method uses things like voice patterns, keystroke patterns, even heartbeats to verify you.
Two-factor authentication (2FA). For it to be true two-factor authentication, you must provide responses from two different factors. In many cases, people set up authentication to include a password and a security question, which is two separate pieces of information from one factor, “something that you know.” You want to pick two categories that can be independent of one another to better validate that you are who you say you are. Be sure to stay away from using a phone (“something you have”) and location awareness (“somewhere you are”) as your two factors because a lost or stolen phone can allow someone easy access to circumventing the efforts you put into heightening your security.
Multifactor authentication (MFA). When you get into more than two factors for authentication, you are referring to “multifactor” authentication. While this adds layers of complexity to your logins, you want to make sure it does this with minimal impact to your ease of access. This can include any of the following: a token (or app) and a password or passphrase, a fingerprint and a security question, or a location you frequent and facial recognition, etc. As mentioned previously, you want to make sure to think about your combination to know whether you are setting yourself up for the best possible layering of security. Even if you have two different factors but they can be tied back to the same device, you may want to add an additional layer of complexity, if available.
I don’t know which level of security is right for me or whether I even need it. After reading this, you may be asking yourself “I don’t know if I have a need for any security.” I recommend looking at this from a perspective of risk and asking whether there is anything you need to protect? We can say with a certain amount of assurance that websites like your online banking and email would benefit from the additional security. I also recommend you ask yourself whether there are passwords that connect to other things. This could be a site that you use to back up your digital photos but that also holds your credit card information for purchases or ties back to another feature of the website. While two-factor or multifactor authentication may not be for every website you access, you want to make sure you protect what is most important.
Whether it is your personal property or your digital footprint, you want to make sure you feel comfortable with who has access to it and that they are who they say they are. Hopefully you’ll think about this the next time you are online, and you’ll look into adding some additional layers of security on the things you want to make sure to protect.
Contact us today to learn more about how Wipfli can help with your bank’s cybersecurity.
