Weekly Tech Tidbit – I gotta new phone … oh no! The dark side of multi-factor authentication

October 19th, 2018
Weekly Tech Tidbit – I gotta new phone … oh no!  The dark side of multi-factor authentication

At some point in your life, you probably were locked out of something - your house, your car, your office.  I am sure it was awful trying to figure out how you were going to solve that problem.   However, to add to your stress, we now have all this sensitive data online and on our phones with multi-factor authentication (MFA) requirements to access it.  Most often access is tied to your phone.

But wait I just traded in, lost, or had my phone die?   What am I supposed to do?

We have been strongly recommending that you turn on some form of multi-factor authentication (MFA).   There are many forms of MFA:

  • The classic dongle that generates a unique key to be used with each login
  • The USB micro keyboard that does the same thing.
  • Texting a code to your phone.
  • Calling your phone
  • Using an application on your phone to validate your login (such as GMAIL).
  • Using an authenticator application tied to your phone such as Microsoft Authenticator or Google Authenticator (both free)
  • Using Windows 10 Hello where it can sense the presence of your phone via Bluetooth to know you are in front of the computer or that you have walked away.
  • Fingerprint scanning
  • Using Windows 10 Business Hello where the webcam is infrared and can distinguish when you are in front of your computer and when you are not.  (This is vastly improved in reliability in recent releases).

The philosophy of MFA is that in addition to the normal ID/password login you provide something else "out of band" that doesn't use the same computer or network to provide the additional level of authentication.   The theory is that your computer might be hacked with a keystroke logger, but by providing a single-use code outside of the normal login process, a hacker still cannot compromise the integrity of the login.

There are some systems which won't send calls or texts into VoIP systems because they believe those systems are hackable and the codes could be re-routed to the hacker.   Many people opt for the Microsoft or Google Authenticator process because it is free and works well and you always have your phone.

But do you?

Once you don't have your phone you don't have a means of authentication.   Some highly secure systems will lock you out.   Other systems may have a plan "B" MFA authentication mechanism.  For instance, I have Evernote setup for Google Authenticator MFA.   But it will text a code to my phone if I can't authenticate with the software.

A few things you should remember:

When setting up either Google Authenticator or Microsoft Authenticator with an application, they often offer you "emergency backup codes".   Download and secure these codes in a safe place.   If you and your phone are separated, you can use one of these single-use codes to get into your application and reconfigure it to whatever new configuration you have.

If you have an authenticator application and have a working phone, make a point to disconnect your MFA apps from your applications prior to turning in or retiring your phone.

Also, if there is another administrator on the software using MFA to an authenticator application, you might be able to reconfigure or delete the user and then re-add the user to authenticate to the new phone.

If you need help improving the security to your most critical data and resources via multi-factor authentication, give us a call.