Note: Originally published October, 2019, on the University of Kansas Information Technology website.
KU Information Technology recently implemented a rollout of multi-factor authentication with Duo Mobile to all faculty, staff and graduate research assistants, graduate teaching assistants and graduate assistants.
Even with the enhanced security offered by multi-factor authentication, faculty and staff must remain vigilant to protect themselves and university data. Complex passwords and multi-factor authentication (MFA) are effective security solutions, but the best protection is your ability to identify and thwart phishing and other attempts to deceive you and compromise your accounts.
The FBI last month issued a security advisory warning of possible ways criminals can bypass multifactor authentication. However, the FBI concludes that “multi-factor authentication continues to be a strong and effective security measure to protect online accounts, as long as users take precautions to ensure they do not fall victim to these attacks.”
How effective is multi-factor authentication?
In a September Forbes Magazine article, Microsoft reported the use of multi-factor authentication prevents 99 percent of automated attacks, regardless of how simple or complex the multi-factor methods. Multi-factor authentication methods range from SMS text messages to advanced biometrics.
In May of this year, Engadget reported Google’s claim that even a simple recovery phone number will effectively prevent phishing. The percentages are astounding. Use of a recovery phone number thwarted 100 percent of automated attacks, 99 percent of phishing attacks and 66 percent of targeted attacks—attacks made by an individual on an individual without the aid of automation. Read the Engadget story.
How do criminals get around multi-factor authentication?
According to the FBI, the three greatest areas of vulnerability for multi-factor authentication are the SIM card inside your phone which stores your unique information, the webpages handling MFA operations and the employment by attackers of transparent proxies (a server which passes web traffic but does not necessarily redirect it). For specifics on attacks that successfully bypassed multi-factor authentication, read the full ZDNet article.
The FBI noted that multi-factor authentication bypass attacks are extremely rare and have not been used in widespread, automated attacks. In another, related article, ZDNet reported that, due to the rarity of these attacks, even Microsoft does have much statistical data on them.
How can you protect yourself?
What can you do if you are already updating your password regularly and using multi-factor authentication? As simple as it sounds, keep your phone with you and lock it when it is not in use. Also, lock your computer when you step away from it.
Beyond manually locking your devices, look to your passwords. If you find the idea of using a long, complicated password for each of your online accounts tedious or hard to remember, consider signing up for a password vault. Many of these feature a virtual private network (VPN) you can use to encrypt web traffic while you are online. This feature is especially useful if you are traveling or are away from a secure network and your only Wi-Fi options are public and unsecured. And, while securing your online accounts and home computer or laptop with strong passwords, don’t forget your home router. Be sure to change the factory default password to a stronger, unique one. Lastly, never share a password.
For a longer list of tips, read this PCMag story.
Your security is your responsibility
While it might seem unlikely an attacker will steal your identity, the Insurance Information Institute referenced a Javelin Strategy & Research study demonstrating that 2017 saw 16.7 million victims of identity fraud, “a record high that followed a previous record the year before.”
The truth is there is no one fix when it comes to security. Passwords, multi-factor authentication, malware and antivirus software, professional IT security tools and your own vigilance create layers of protection. The best course of action you can take is to use strong, unique passwords, use multi-factor authentication, be suspicious of emails or contact from strangers and monitor your accounts regularly.