Ah, the venerable Username and Password, they have been required from all of us since the Mainframe computer days and have almost become second nature to us.  The problem is, in this day and age, they just aren’t all that secure a form of authentication.  Usernames are often easy to discover; sometimes they are just your email address. Since passwords can be hard to remember, people tend to pick simple ones, or use the same password at many different sites.  All this adds up to security that is not very secure at all.

Additional Security

To combat these inherent weaknesses, almost all online services - banks, social media, shopping and yes, Microsoft 365 too - have added a way for your accounts to be more secure. You may hear it called "Two-Step Verification" or "Multifactor Authentication" but it all operates using the same principle. When you sign into an account for the first time on a new device or application (like a web browser) you need more than just the username and password. You need a second thing – known as a second "factor" - to prove who you are.  A factor in authentication is something unique to you and you alone that proves you are who you say you are when you try to sign in. For example, a password is one kind of factor, it is a thing only you know. The three most common kinds of factors are:

  • Something you know - Like a password, or a memorized PIN.
  • Something you have - Like a smartphone, or a secure USB key.
  • Something you are - Like a fingerprint, or facial recognition.

How does this work?

Let's say you are signing into your work or school account, and you use your username and password. If that is all you need to be authenticated, then anybody who knows, or guesses, or uses a computer to determine by brute force your username and password can sign in as you from anywhere in the world and has access to everything you own!.  But if we now add a second verification (a multi-factor authentication) step, things get more interesting. The first time you sign in on a device or app you enter your username and password as usual, then you get prompted to enter your second factor to verify your identity.  The nature of the second factor usually depends on the service you are attempting to access, so we will examine a few.

Something You Have

In most cases, this will be your smartphone.  The service may want to either phone you or send you a text message.  If it phones you, it will usually ask you to press one or more touchtone keys on your phone.  If it texts you, it will probably send you a series of numbers that you are to enter on your computer in response to a second login screen the service supplies.  Another common cellphone authentication factor is an authentication app, such as Microsoft’s free Authenticator, which offers you two different methods.  It supplies a random number that is updated every minute for you to supply if the service asks.  It also provides a push mechanism to the service such that the service can send you a prompt through the Authenticator app for you to verify and acknowledge.  Much less common than the cellphone is a secure physical key, usually a USB device, that you plug into the computer.

Something You Are

The appropriate term for this is Biometrics and it includes physical features unique to you as a human, such as your fingerprints and your face.  Many computers now come with fingerprint readers.  When enabled and setup, this becomes your second factor; services that use Biometrics will require you to touch the fingerprint reader to verify you are really you.  Similar features to this are facial recognition and retinal eye scanning.  In these cases, the computer has circuitry and software added to its camera allowing it to recognize your face or the structural patterns present in your eyes.  With either of these in operation, all you need to do is glance at your computer or touch the fingerprint scanner to gain access, no passwords are required at all.  If you have a Windows 10 machine, much of this is built-in and is called the Windows Hello system.

Important things to know

First, it is important that the factors be different kinds of factors. Having two passwords, or a password and a memorized PIN, are just two of the same kind of factor - things you know - and if somebody compromises one password, they likely can compromise both. It should be a combination of at least two of the three different kinds of factors to be secure. Crooks may steal your password, but they cannot easily steal your fingerprint.

Second, you will not have to use the second factor every time you sign in. Some folks worry that multi-factor authentication will add complexity and unnecessary inconvenience, but generally it is only used the first time you sign into an app or device, or the first time you sign in after changing your password. After that you will only need your primary factor - usually a password, PIN, fingerprint, or facial recognition. The extra security comes from the fact that somebody trying to break into your account is probably not doing so on your device and will not have have that second factor to get in.

Start using it NOW!

Multi-factor authentication is not just for work or school. Almost every online service, from your bank to your personal email to your social media accounts, supports adding a second step of authentication.  You should open the account settings for these services and enable it as soon as you can.  The longer you delay, the more time you’re giving the bad actors to sneak in and ruin your world.