In a recent video and blog post, Security Architect Sean Jacobs joined us to discuss how hackers can use credential harvesting to easily gain entry into many businesses.
In today’s post, Sean is back to explain how multi-factor authentication works and why it’s so effective at protecting your employees and business data from the effects of credential harvesting!
What is Credential Harvesting?
Credential harvesting, more commonly known as phishing, is when a hacker attempts to gather personal information or login credentials by impersonating a legitimate brand. This is done by sending users to a malicious website through an illegitimate link. Once a user clicks on the link and logs in, the hacker has full access to their account.
What Can Users do to Prevent Credential Harvesting?
Educating your employees is a great first line of defense when it comes to preventing credential harvesting and phishing attacks in your organization. It’s important that your employees know what phishing attacks are, how to identify them, and how to report them to your IT department. This training should be a continuous process since hackers and their methods of attack are always evolving.
Besides proactive education, Sean Jacobs reveals the number one thing users can do to prevent their credentials from being harvested is enabling multi-factor authentication!
What is Multi-Factor Authentication?
Most people with some sort of online account are used to simply visiting the website, entering their username and password, and logging in. This is regular authentication. Multi-factor authentication is so valuable because it adds an additional layer of security to your login credentials.
With multi-factor authentication, you must present two pieces of evidence (your credentials) when logging into an account. Credentials fall into these three categories:
- Something you know, for example, a password or PIN
- Something you have, for example, a smartphone that can receive a code via text
- Something you are, for example, your fingerprint or face ID
In order to be multi-factor authentication, your credentials must come from two different categories. Simply entering two different passwords would not be considered multi-factor.
Examples of Multi-Factor Authentication
Common examples of multi-factor authentication include:
- Codes generated by smartphone apps
- Badges, USB devices, or other physical devices
- Soft tokens
- Certificates
- Fingerprints
- Codes sent to an email address
- Facial recognition
- Retina or iris scanning
- Answers to personal security questions
The latest multi-factor authentication solutions can even incorporate additional factors based on certain triggers. By considering context and behavior when authenticating, it adds yet another layer of protection. For example, a particular account may ask for an extra level of authentication depending on:
- Where you are when trying to obtain access, such as a cafe with a public Wi-Fi network
- When you are trying to obtain access, like late at night when you typically only use the device during the workday
- What device you’re using to obtain access, such as a smartphone vs a laptop
How Does Multi-Factor Authentication Protect Against Credential Harvesting?
Multi-factor authentication helps protect users from credential harvesting by adding an additional layer of security to their login credentials.
For example, let’s say you use a password paired with a unique code that is generated and sent to your smartphone each time you try to login to your account. In this case, the hacker would need to steal both your password and your phone in order to get into that account. Furthermore, if your phone requires a PIN or fingerprint to unlock (which it should if you’re being smart!), it adds yet another layer of security.
Microsoft’s Multi-Factor Authentication Tools
Microsoft offers a few different ways to protect the tools you rely on to do business from credential harvesting! Here are two major ones:
The Microsoft Authenticator App
With the Microsoft Authenticator App, you can sign into your personal Microsoft account without a password. For security, you’ll use a fingerprint, face recognition, or a PIN. If anything happens to your mobile device or you forget your PIN, your password will still get you into your account.
If you need more security (which we recommend for business use), you can require a password along with your fingerprint, face recognition, or PIN. This multi-factor verification will keep your Microsoft accounts safe and secure! For a personal account, you can turn two-step verification on or off yourself. For a business account, the administrator will decide whether the organization will use two-step verification, then each user will need to complete their registration process and set up their own credentials.
The Microsoft Authenticator app also supports the industry standard for time-based, one-time passcodes, known as TOTP or OTP. You can add any online account that also supports this standard to the Microsoft Authenticator app. This helps you keep your other online accounts (even if they are not powered by Microsoft!) secure.
The Microsoft Authenticator app is available for Android and iOS, and you can use it with a mobile phone or a tablet. Download it for free here!
Office 365 for Business
Office 365 for Business includes multi-factor authentication! Before users can sign in to their Office 365 account with two-step verification, the admin must enable it for the organization. Then each user can set up their own verification methods. Once that’s done, users can sign in using multi-factor verification by following these three simple steps:
- Sign into your Office 365 account with your username and password.
- After you enter your password, you’ll be sent a code to your phone (or whatever device/app you specified when you set up the two-step verification).
- Once you receive the 6-digit code, enter it in the box then choose “Sign in.”
Pro tip: if you’re tired of manually typing in the 6-digit code, you can use the Microsoft Authenticator app on your smartphone for 1-click verification!
As a Microsoft Certified Partner, Protected Trust aims to provide a transformative solution for your business with the help of Microsoft’s tools and vision. Ready to transform the way your business operates and protects its data? Contact us today!
