A Guide to Password Protection

Many individuals use their e-mail to send and store sensitive information such as tax returns, financial statements, medical information and other documents that contain information prized by identity thieves. In the wake of national retail and online publications experiencing security breaches, it is encouraged that users enable multi-factor authentication.

Get informed about the different ways to improve your password with the use of multi-factor authentication:

Authentication

To access many internet services, such as e-mail, online banking, or online shopping, you must first prove you are who you say you are.  This process of proving identity is known as authentication.

There are three types, or factors, of authentication:

• Knowledge (something you know); Examples include passwords, pins and challenge questions answers.
• Possession (something you have); Examples include debit cards, tokens and smartphones.
• Inherence (something you are); Examples include retinal scans and fingerprints.

Traditionally, people only utilize the "Knowledge" factor and therefore are using "Single-Factor Authentication". The concern with using single-factor authentication is that many times an attacker only needs one piece of information, your password, to access your accounts.  Recent breaches have shown that simple single-factor authentication is no longer sufficient for protecting sensitive information. Additionally, if an attacker gains access to an e-mail account that receives password reset notifications and confirmations, all websites registered with that e-mail address could potentially be compromised.

Multi-factor Authentication

For e-mail accounts and other sites that store sensitive information, the second factor of authentication, known a multi-factor authentication, should be enabled.  Challenge questions are not a second factor because they still rely only on "Knowledge". The second factor must include the factors of possession or inherence. 

Recommendation

Seacoast Information Security recommends using a one-time text code sent to your cell phone anytime you authenticate from an unrecognized device.  In doing so, you will be better protected, because even if your password is stolen, the attacker cannot access your account without having physical access to your cell phone. Once your device authenticates, it is considered a "known" device, so it most likely will not ask for a code the next time you attempt to sign in. 

Next Steps

Many online sites now offer two-factor authentication, such as Yahoo, Dropbox, PayPal and Gmail. Google has improved their security with optional two-factor authentication, or what they call "two-step verification". Google’s two-step verification requires two things for authentication: your password, and your smartphone. This feature is not enabled by default. To enable this feature, log into your Google account, go into "Account Settings", select "security", and follow the options to enable two-step verification.   If any of the services you use offer two-factor authentication, please enable and use them.