2022: beat bad passwords with the year of MFA
As we start a new year, it's become a tradition to mull over the worst passwords of the previous 365 days. A quick search of news articles on the topic reveals the usual culprits: 123456, 654321, qwerty and such still reign supreme as the most-used passwords.
How do we know this? Cybercriminals tend to publish hacked databases online to sell the data to others or brag about their coup. Scanning these, security researchers can see which passwords are the most common - and those are by their nature very poor. If you can guess '123456' in a few seconds, imagine how quickly a computer can do it.
Strong passwords are good, but it's fortunately not the only choice to make our world much safer from cybercriminals. There is another way, and we already use it every day. This one simple addition to our digital security can make it so much harder for criminals to breach our systems and steal our data.
That solution is two-factor or multi-factor authentication (MFA). If we make 2022 the year of MFA, it will be a significant win against the unscrupulous criminals preying on us online.
What is MFA, and why is it so effective? You likely already use MFA. Think of the last time you conducted a transaction through your online banking. Chances are, you were sent a pin code via SMS or verified the transaction through a mobile alert or your banking app. You might also have noticed that more and more sites are using this mechanism. Gmail, Dropbox, Office365 and Facebook all provide 2FA and MFA checks to ensure you are you.
Criminals try to subvert this system. When someone's sim card is swapped without their knowledge, they often think that's the origin of an attack. But it's the last step. Criminals will first steal your login details, then use various techniques to convince a mobile operator that the phone number linked to your account has shifted to a new sim. Then they can intercept those messages containing one-time pins or authentication prompts. The very reason why sim swaps happen is an attempt to bypass multi-factor authentication.
MFA isn't infallible. Nothing in security is infallible. You must always be vigilant. But MFA makes it much harder for criminals to use stolen credentials. And online criminals are often pretty lazy. They'd rather hack someone without MFA than with MFA. Just the presence of MFA can deter many attacks.
Fortunately, MFA is already widely available. Some businesses, such as banks, enforce its use, yet many more offer it as an option. If you make one security commitment for 2022, check the services you use for MFA support and activate it where available. Business leaders: talk to your security staff about MFA support. Most cybersecurity companies provide MFA as part of their basic services.
Users sometimes resist MFA as another hurdle they must cross when logging in. But in a world where data moves freely between offices and homes, computers and mobile phones, criminals actively target people to steal their credentials. Phishing, which uses fake messages to dupe users into handing over login information, has grown by double and triple digits during 2021. Criminals want our credentials. MFA cuts through that, offering a way for people to authenticate themselves without remembering long passwords or lists of security questions.
We still need passwords. But at least if someone is still using '123456', it's not the only thing stopping criminals from breaking in. MFA means sleeping easier at night - unless you are a cybercriminal. Then you have to do a lot more work or find an easier mark. MFA turns our connected world against the cowards that use it to rob us. Let's make 2022 the year of multi-factor authentication and take technology back from the bad guys.