So everyone tells you that two factor authentication (2FA) or multi factor authentication (mfa) is essential these days to protect you from people hacking your systems, mainly your email. Absolutely correct, without a shadow of a doubt it is the single most important way to protect yourself. If you want FunctionEight to provide your IT Support then it is a requirement that you have 2FA on your email.
However there are associated risks with this and it come down to the way people usually interact with their computers. This is something that the software manufacturers have not really worked out yet. It is a user experience / user interface (UX/UI) issue.
Many people have multiple devices, often a desktop a laptop and a phone. Some have multiple of each. So with 2FA enabled all of these devices when switched on are connecting to your email system like Microsoft Office 365 and authenticating. There are settings in the system that allows you to request “don’t ask me again for 14 days” and we all select that don’t we.
However if you are like me then you will leave your email open on your desktop even when you are not using it. Even if you lock the screen the email application will still be connecting to your email system to authenticate.
And this is where the issue comes. You are on a bus or in a boring meeting and you get an authentication request on your phone. If you are used to this you realise that this is probably your desktop and you authenticate. For most of the time this is ok, although it is bad practice.
However imagine the situation where you get a request on your phone and you think it is your home desktop, but in reality it is someone in a foreign country hacking your email and they have your username and password (you use a simple password because you have 2FA right?). All of a sudden you approve the request and you give the hacker access to your email. And that is where your issues come.
Rules to avoid this:-
- Do not leave your email application running on your computer when you are not using it. This will stop authentication requests coming in when you are away from your computer.
- Never accept an authentication unless you know which of your devices is requesting it.
Don’t say you have not been warned. 2FA or MFA is great when used the way it is supposed to be used. Abuse it and it will bite back.
Been hacked and need help, please contact me at phil@dev.functioneight.com