Law Technology Today From the ABA Legal Technology Resource Center
Related Articles
You have probably heard horror stories about people whose personal accounts were hacked or companies that suffered data breaches that exposed customer information. The personal and business repercussions of an account being hacked range from minor inconvenience to major embarrassment, a damaged reputation, and financial loss. And for those of us in the legal profession, we have an ethical obligation to take reasonable precautions to safeguard our clients’ confidential information.
In order to prevent unauthorized access to your account, most online services (such as your email provider and your bank) require you to enter a username and password in order to authenticate your identity and log-in to the service. Two big weaknesses of the username and password model are:
- Users often select weak passwords (and also often use the same password with multiple services, which means a data breach of one service provider allows hackers to access all the other accounts that have the same username and password) and,
- Usernames and passwords are often compromised, such as through phishing attacks where hackers use social engineering to trick you into giving them your username and password (e.g., through a phony log-in page for your bank sent to you in an official-looking e-mail) or by logging in to accounts over an insecure Wi-Fi connection that allows hackers to capture your password. By using multi-factor authentication, you can add an additional layer of protection so that a hacker would not be able to access your account with only your username and password.
What is Multi-Factor Authentication (MFA) and How Does it Help?
Multi-factor authentication (also commonly referred to as two-factor or two-step authentication) involves the use of more than one item (or factor) to authenticate your identity and gain access to the service in question. In most cases, the first item is your username and password combination. There are a variety of methods used to provide the second authentication factor, but the most common method of providing the second factor is for the user to enter a short numeric code into the website in addition to the username and password. In most cases, the user either generates the code using a smartphone app or the code is sent to the user (after entering the username and password) by SMS to the user’s cell phone or by an automated phone call. This second-factor code can generally only be used once and is often time-sensitive, meaning that anyone who intercepted the code would not be able to use it because it would no longer be valid.[i]
Thus, if your account was protected with multi-factor authentication, access would only be granted to someone who both (1) knows your username and password and (2) has access to your phone. The obvious advantage of using multi-factor authentication is that a hacker would need to steal your phone in addition to guessing or intercepting your password (and you would probably notice pretty quickly if your cell phone was stolen).[ii]
Multi-Factor Authentication is Easy to Setup
Although the precise method of multi-factor authentication varies from site to site, in most cases configuring MFA is a straightforward process. For websites that provide multi-factor authentication by text message or phone call, the setup process typically requires you to supply your phone number and then type the code that is sent to you by SMS or phone call. And that’s it! Your account is set up and protected with multi-factor authentication. The next time you log-in you will be required to supply the security code sent to you by SMS or phone call.
For websites that use a smartphone app to generate security codes, the set up process requires you to install a compatible app. Most implementations support standardized TOTP (time-based one-time password algorithm) apps, such as the free Google Authenticator, Duo Security, Authy apps, meaning you don’t need to install a separate app for each website. After installing the app of your choice, you then use the smartphone app to scan a QR code (similar to a barcode) displayed by the website during the set up process, and then you type the short numeric code displayed by the app. Then you’re protected and ready to go. The next time you log-in to the website, you will simply open the app on your phone and type the short code it displays.
Most websites that support multi-factor authentication will supply you with one or more backup codes that you should print and store in a safe location. The backup code would be used to regain access to your account if your phone was lost or stolen. (Of course, if your security codes are received by SMS or phone call, if your phone is stolen, you will still receive the codes on your replacement phone once it is activated with your mobile phone provider.)
To make using multi-factor authentication less inconvenient, many websites that support MFA allow you to “trust” the computer that you are currently using so that you will not be required to supply the second factor the next time you log-in from the same device. (Of course, you should only trust your personal computer and you should not trust your device if you are connecting over an insecure Wi-Fi connection.)
To determine whether a particular website or service supports multi-factor authentication and the methods it supports, you may want to begin by checking: TwoFactorAuth.org. Here are some websites that support multi-factor authentication with links to read the details.
- Microsoft
- Apple
- Box
- Dropbox
- Facebook (and see tutorial here: http://www.zdnet.com/tutorial-facebook-2-factor-authentication-step-by-step-7000028372/)
- Evernote
Downsides to Multi-Factor Authentication
There are a few downsides to multi-factor authentication, though they do not outweigh the substantial benefits:
- You need to have your phone with you in order to log-in. (But how often is your cell phone out of arm’s reach?)
- The log-in process takes a few seconds longer because you need to get a security code from your phone and type the short numeric code into the log-in page.
- If you lose your phone, you will need to wait until your replacement phone is activated so you can receive the security codes by SMS or phone call, have access to the backup security code, or go through a more complex account recovery process to log-in to your account.
- Websites have different systems for providing multi-factor authentication (but most sites support sending security codes by SMS, phone call, or through an app on your smartphone).
Bottom Line: It’s Worth the Minor Inconvenience
Multi-factor authentication is fairly easy to set up, and it provides a meaningful additional layer of protection for your accounts and the sensitive information stored in those accounts. And for legal professionals who have an ethical duty to safeguard client information, a minor inconvenience for a substantial security gain is definitely worth it. After all, if your account got hacked and a client’s information was stolen, your client would probably not be impressed with an explanation that, “I decided not to use multi-factor authentication because it was too inconvenient.”
Hackers employ many techniques to gain unauthorized account access and to steal sensitive information. There is no panacea that will provide complete protection, and there are many important steps that you should take to mitigate the risk of unauthorized account access. For example, you should use long, truly random passwords (that you save in a reputable password manager and do not reuse for multiple accounts), and you should use false, random, and/or nonsensical answers when setting up account security questions. But using multi-factor authentication is simple to setup, fast and easy to use, and well worth the minor inconvenience of entering a second code when logging in to your online accounts.
