Hacking innovations have made a simple password far less able to secure important information. These "innovations" include SQL injections into your web browser and the use of computer bots that run millions of password attempts a minute. Fortunately, there are many ways to make your password entry procedure more secure. Passwords combined with other things are often called “authentication” methods and there are three different types of authentication. Read below to learn more about authentication, and the respective pros and cons of two-factor, multi-factor, and passwordless authentication methods.
Two-factor authentication (2FA) requires two distinct pieces of evidence (aka "proof" or "factors") that the user must supply to gain access to the information. At UVA, DUO is an example of a 2FA system. Users must first enter their Netbadge password (something they know) and then send a push request which is linked to their mobile device or telephone (something they have). Thus, there are two different pieces - something you know (password) and something you have (mobile device or telephone number) in order to gain access to the information.
If a hacker gets your password, they still won't have access to gated information, because when they try to gain entrance, you will get the Duo call, text, or push message from DUO and refuse it (since you know you're not logging in right now). If you receive a DUO login request without attempting to log in, please alert Information Security immediately by emailing Abuse@virginia.edu or by going our Information Security Incident Reporting webpage.
Multi-factor authentication (MFA) is similar to 2FA, but requires at least three distinct pieces of information from the user to prove their identity. The idea between adding factors (or pieces of evidence or proof) is based in simple probability. If there is a non-zero chance that an imposter has any given piece of the user’s authentication information, then adding an additional requirement greatly reduces the probability that the imposter has all the necessary information to get into the system.
For example, if the chances that an imposter had obtained a user’s mobile device and their Netbadge password were 1%, the hacker would have a 1% chance of beating the 2FA system at UVA. (Fear not, the odds are actually much lower). If an additional factor is added -- say, a security question about obscure personal information private to the user -- and the chances of a hacker obtaining the answer to that security question are 1%, then the chances of beating the MFA system are 100 times lower (.01%) than the chances of beating 2FA.
In short, MFA adds additional security layers, and while MFA creates more work for users each time they log in, every additional factor added to the login process significantly increases security. However, requiring additional factors also requires users to remember more information, and without resources such as LastPass to securely store passwords and other authentication-related information, users may get careless in an attempt to keep track of it all. So, it’s important to add factors proportionately to the sensitivity of the information being protected, since unnecessary protection can have the opposite effect to the desired outcome.
Tangentially, authentication procedures that don’t require the user to memorize or store information, such as sending a push to their mobile device, help to circumvent the risk of users carelessly storing password information.
It is important, however, to remain cautious, even under MFA protection. All of these additional protection factors are susceptible to social engineering via such methods as phishing, phone calls. or text. Regardless of the authentication methods you use, you must be vigilant.
Passwordless authentication strategies eliminate the need for a password altogether, instead substituting push notifications to a mobile device or a certificate installed on a device (this is secure because the device is protected by a password itself, and is unlikely to fall out of the possession of the intended user anyway). Passwordless is highly convenient for users, and eliminates risk of insecure password storage and password spraying attacks; without a password in the first place, bots cannot attempt to hack into accounts by inputting common passwords with a high number of trials.
Passwordless authentication is often used as one of two or more factors in 2FA and MFA. In the future, as passwordless authentication technology improves, we may see the password become completely obsolete in favor of more secure access control systems.