In addition to using Multifactor Authentication (MFA) for school use, it’s recommended that you use MFA in your personal life. Why?
When you allow a single set of credentials to play the only role in authentication, one compromised set is all an attacker needs to steal or manipulate your data. This is especially true if the account in question is a key account such as your email account that you utilize to access all your other accounts.
Some stats about passwords:
- 92% of organizations have credentials for sale on the Dark Web
- 61% of people reuse the same or similar password everywhere
- “123456” and “password” were the top two password choices in 2018
- 81% of data breaches have been the result of weak or stolen passwords
To help combat that, MFA utilizes and combines the three following concepts:
- Something that you are: identifying you by something you are. Ideally these are unique and non-changing attributes such as a fingerprint, face picture, retinal imprint, or even your speech or typing patterns.
- Something that you know: this is unique knowledge to a person including such items as passwords. Historically, this is the most common form of online identification.
- Something that you have: an increasingly popular form of identification is to validate identity based on something that only the person may have. This was popularized through a key fob that generated a token (pin or series of numbers). Today, something that you have can include your smartphone.
Using an authenticator application is by far the best MFA tool to use for flexibility and resilience. The Microsoft Authenticator app (free and recommended by the Cyber Security Operations Center) allows you configure MFA using a phone call, SMS text, One-Time Passcode, biometric validation, and even configure Passwordless Authentication! If mobile networks are down, these apps allow communication over Wi-Fi; and vice-versa if Wi-Fi ever goes down.
MFA configured for your personal accounts means that even if a password gets compromised, the account is much less likely to be compromised as it still requires an MFA prompt.
Visit this page for instructions on setting up MFA.