Scribd
Upload
13 views13 pages

3.MultiFactorAuthentication Presentation 2018 TechFair

Uploaded by

smazzam2004
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
13 views13 pages

3.MultiFactorAuthentication Presentation 2018 TechFair

Uploaded by

smazzam2004
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 13

10.10.

18 1

Multi-Factor Authentication (MFA)

What is it? Why should I use it?

CYBERSECURITY
Tech Fair 2018

Boston University Information Services & Technology


10.10.18 2

Recent Password Hacks

 PlayStation Network (2011)


 77 Million accounts hacked
 Adobe (2013)
 38 Million accounts hacked
 Yahoo (2014)
 3 Billion accounts hacked (that B is not a typo)
 Under Armour (2018)
 150 Million accounts hacked

Boston University Information Services & Technology


10.10.18 3

What can I do?

 You can’t stop a data breach, but you can make your password
less useful to hackers
 How? Use MFA if possible
 Even if someone gains access to your password, you might be
protected

Boston University Information Services & Technology


10.10.18 4

What is MFA?

 MFA (Multi-Factor Authentication)/ 2FA (Two-Factor


Authentication)
 Uses multiple independent credentials
 What you know
 What you have
 What you are
 Creates redundancy
 One method fails, another to fall back on

Boston University Information Services & Technology


10.10.18 5

Examples

 Log into website, receive one-time password via email or SMS


 Access VPN with password (e.g. vpn.bu.edu/2fa), answer
prompt in DUO app on mobile device
 Access corporate network via USB device and password
 Enter high security facility with retina scan, and code

Boston University Information Services & Technology


10.10.18 6

DUO etc.

 BU uses DUO to protect PII


 Many sites use SMS MFA
 Better option is to use app/ dedicated code generation device if
possible

Boston University Information Services & Technology


10.10.18 7

Downsides

 Inconvenient
 Extra time to log in
 Can’t log in without device (dead battery/ forgot)
 Can cause issues with applications depending on
implementation

Boston University Information Services & Technology


10.10.18 8

How to defeat MFA?

 Social Engineering
 Physical access to MFA security device
 Hacked Cookies
 Unknown methods

Boston University Information Services & Technology


10.10.18 9

Summary

 Very important to use especially on critical accounts (Google,


Apple)
 Especially on accounts that are used for other MFA (email accounts
etc.)
 Slight inconvenience is small price to pay for large increase in
security
 Hackers go after the low-hanging fruit
 Go home and enable MFA on everything!

Boston University Information Services & Technology


10.10.18 10

Questions?

Boston University Information Services & Technology


Multi-Factor Authentication (MFA)
Why does it matter?
Largest hacks (> 50 million Most common
records) passwords (2017)
Entity Year Records Organization type Method
Yahoo 2013 3,000,000,000 web hacked
• Hacks happen all the time. Yahoo 2014 500,000,000 web hacked 1. 123456
We unfortunately cannot Friend Finder Networks 2016 412,214,295 web poor security / hacked 2. Password
control how third parties Massive American business 3. 12345678
hack 2012 160,000,000 financial hacked
store our sensitive data, 4. qwerty
Adobe Systems 2013 152,000,000 tech hacked
5. 12345
but using MFA, we can Under Armour 2018 150,000,000 Consumer Goods hacked
6. 123456789
eBay 2014 145,000,000 web hacked
make our passwords less financial, credit 7. letmein
useful to hackers. Equifax 2017 143,000,000 reporting poor security 8. 1234567
Heartland 2009 130,000,000 financial hacked 9. football
Rambler.ru 2012 98,167,935 web hacked 10. iloveyou
• What if copies of your TK / TJ Maxx 2007 94,000,000 retail hacked 11. admin
house key were entrusted MyHeritage 2018 92,283,889 genealogy unknown 12. welcome
AOL 2004 92,000,000 web inside job, hacked
to a third party to keep 13. monkey
Anthem Inc. 2015 80,000,000 healthcare hacked
safe? Wouldn’t you want to 14. login
Sony PlayStation Network 2011 77,000,000 gaming hacked
15. abc123
install another type of lock JP Morgan Chase 2014 76,000,000 financial hacked
16. starwars
National Archives and
that only you could get Records Administration 2009 76,000,000 military lost / stolen media 17. 123123
through? This is a good Target Corporation 2014 70,000,000 retail hacked 18. dragon
(basic) analogy of MFA. Tumblr 2013 65,469,298 web hacked 19. passw0rd
Uber 2017 57,000,000 transport hacked 20. master
Home Depot 2014 56,000,000 retail hacked 21. hello
• Hackers usually go after Philippines Commission on 22. freedom
Elections 2016 55,000,000 government hacked
the low hanging fruit. Don’t Facebook 2018 50,000,000 Social network Poor security
23. whatever
24. qazwsx
be an easy target. Evernote 2013 50,000,000 web hacked
25. trustno1
Living Social 2013 50,000,000 web hacked

sources: https://vigilante.pw/, SplashData


Multi-Factor Authentication (MFA)
What is it?

• You might also hear of 2FA (Two-Factor


Authentication) which is a subset of MFA • What the user knows:
• Password
• MFA is an authentication method that • PIN code
uses multiple independent credentials • Security questions
• What the user knows • What the user has:
• What the user has • Security token
• What the user is • One-Time password
(OTP)
• Adds another layer of security beyond • ATM card
username and password, which can be • iOS/ Android app
easily cracked, guessed, or hacked • What the user is:
• Fingerprint
• MFA has been around for many years, but • Retina scan
is now starting to be common in the
private sector
Multi-Factor Authentication (MFA)

Why should I use it?


How do we use it at BU?

• The standard username and password • We use an MFA solution called DUO at BU
authentication method necessarily requires a
database of stored passwords. If this is • DUO protects our sensitive systems
captured, it is only a matter of time before • BUWorks
the database will fall. • Our Mainframe
• Other sensitive data systems that
• As computers get more and more powerful, contain PII
cracking passwords gets easier and easier
• DUO is easy to use:
• MFA creates redundancy. If your password is • Can ‘push’ notifications to DUO app
compromised due to poor strength or a hack, (preferred)
there is still a fallback • Can receive an SMS one-time passcode
• Can receive call to mobile or office
• It is very easy to set up phone
• Hackers go after the easy targets. Don’t be
one!

You might also like