Multi-Factor Authentication

Multi-factor Authentication as a security measure protected user accounts in 99.9% of attempted identity attacks, according to Microsoft.

This encouraging statistic was released as the tech giant revealed that 44 million of it’s Microsoft Azure Active Directory and Microsoft Services accounts were themselves vulnerable to being breached through compromised passwords.

If Microsoft are prepared to admit to such vulnerability, what about other global tech companies, e.g. Google, Amazon, Facebook, LinkedIn to name a few?

Users are widely accepted as being the weakest link in the IT Security chain – mainly through lazily adopting weak passwords, then compounding that by reusing them on multiple sites. If a password is compromised, the first thing any self-respecting ‘hacker’ (for want of a better description) will do is to retry it on a variety of popular sites. For example, the hacker uncovers your password from an online music service you use, they then try it on your email account, your Facebook and so on.

Ever received an email with an old LinkedIn password in the subject line, where the sender threatens to expose all your details unless you pay them in Bitcoin? Yes, you and the rest of us.Your compromised information was probably traded on the Dark Web – the seedy underside of internet usage.

Microsoft has a team collating compromised passwords from a variety of sources, checking them against existing Microsoft accounts and where they find a match, enforcing a change in password. That’s where the 44 million vulnerabilities figure comes from – 44 million matches and, therefore, potential exposures.

We’re all aware of many data breaches from hacked companies, businesses, councils, state authorities, cities and hospitals etc. How many of the compromised passwords were used elsewhere?

Australia enacted the Notifiable Data Breach (NDB) regulations in February 2018, where companies who have been hacked and user data stolen/exposed must supply the authorities with full details. This sort of information helps organisations in the IT Security field to assess the size of any problem and to devise remedial actions. Notifiable Data Breaches Statistics Report: 1 April to 30 June 2019

What actions can you take immediately to help protect yourself?

  • Use a different password for each individual service you’re signed-up to; that way, if one service is compromised, your other accounts are not so vulnerable.
  • Make your passwords into a longer passphrase – the added length will make it correspondingly harder to crack. A simple ‘peter1966’ is insufficient.While we generally recommend using a combination of upper and lower-case, numbers and special characters in your password, try a longer one which is still meaningful to you and therefore easier to remember e.g. ‘peterstreetyougrewupon1966’.
  • Enable MFA – multi-factor authentication. This is a two-key method of accessing accounts and there are some popular methods of achieving this, including:

– Software Push Notification – after entering a password, user receives notification through an App on their phone alerting them to the attempted login. User is then able to deny or approve the request with one touch.
– Authenticator App – password is entered causing a single-use, short-life code generated on Microsoft Authenticator, Google Authenticator or similar, to be sent to user’s phone. User must enter that code within a specified time limit in order to gain access.

The IT Agency recommends the ‘Software Push Notification’ method for greater security, but in either case the benefits are obvious – if your password becomes compromised, the code will be sent to your phone, not the hacker’s. Also, the arrival of an unexpected notification or code on your phone will alert you that something is amiss, prompting you to take precautionary action.

If you want more information on protecting your passwords and keeping your online experience secure, The IT Agency are happy to help – call us on (02) 8317 4730.