Hacking innovations have made a simple password far less able to secure important information. These "innovations" include SQL injections into your web browser and the use of computer bots that run millions of password attempts a minute. Fortunately, there are many ways to make your password entry procedure more secure. Passwords combined with other things are often called “authentication” methods and there are three different types of authentication. Read below to learn more about authentication, and the respective pros and cons of two-factor, multi-factor, and passwordless authentication methods.
Two-Factor
Two-factor authentication (2FA) requires two distinct pieces of evidence (aka "proof" or "factors") that the user must supply to gain access to the information. At UVA, DUO is an example of a 2FA system. Users must first enter their Netbadge password (something they know) and then send a push request which is linked to their mobile device or telephone (something they have). Thus, there are two different pieces - something you know (password) and something you have (mobile device or telephone number) in order to gain access to the information.
If a hacker gets your password, they still won't have access to gated information, because when they try to gain entrance, you will get the Duo call, text, or push message from DUO and refuse it (since you know you're not logging in right now). If you receive a DUO login request without attempting to log in, please alert Information Security immediately by emailing [email protected] or by going our Information Security Incident Reporting webpage.
Multi-Factor
Multi-factor authentication (MFA) is similar to 2FA, but requires at least three distinct pieces of information from the user to prove their identity. Adding an additional factor decreases the likelihood of a malicious login significantly.
MFA adds additional security layers, and while MFA creates more work for users each time they log in, every additional factor added to the login process significantly increases security. However, requiring additional factors also requires users to remember more information, and without resources such as LastPass to securely store passwords and other authentication-related information, users may get careless in an attempt to keep track of it all. Make sure to use LastPass to keep track of all your passwords!
On a similar note, authentication procedures that don’t require the user to memorize or store information, such as sending a push to their mobile device, help to decrease the risk of users carelessly storing password information.
It is important, however, to remain cautious, even under MFA protection. All of these additional protection factors are susceptible to social engineering via such methods as phishing, phone calls. or text. Regardless of the authentication methods you use, you must be vigilant.
Passwordless Authentication
Passwordless authentication strategies eliminate the need for a password altogether, instead substituting push notifications to a mobile device or a certificate installed on a device (this is secure because the device is protected by a password itself, and is unlikely to fall out of the possession of the intended user anyway). Passwordless is highly convenient for users, and eliminates risk of insecure password storage and password spraying attacks; without a password in the first place, bots cannot attempt to hack into accounts by inputting common passwords with a high number of trials.
Passwordless authentication is often used as one of two or more factors in 2FA and MFA. In the future, as passwordless authentication technology improves, we may see the password become completely obsolete in favor of more secure access control systems.
Use Multi-Factor Authentication Whenever Possible
Most apps and websites we use today have multi-factor authentication capabilities. If you need to log in to access your account on any app or website, check to see if they offer MFA. If they do, use it! MFA protects your information and greatly reduces risk of hackers gaining access to your account.