Beyond Passwords: MFA Secrets Every Woman Entrepreneur Needs to Know
Passwords alone are no longer enough to keep your accounts secure. Cybercriminals have become increasingly sophisticated in their methods to steal passwords through phishing attacks, data breaches, and other tactics. This is where multi-factor authentication (MFA) comes in, adding an extra layer of security to your accounts.
Multi-factor authentication (MFA or 2FA) is based on the three primary categories of authentication factors: something you know, something you have, and something you are. These concepts form the foundation of robust security measures that protect your digital assets. (See my explainer reel for a quick overview.)
Something you know refers to information that you've memorized, such as passwords, PINs, or answers to security questions. While this is the most common form of authentication, it's also the most vulnerable to attacks.
Something you have involves physical objects you possess, like smartphones for receiving one-time codes, hardware security keys, or smart cards. This factor significantly enhances security as it requires an attacker to physically obtain the device.
Something you are utilizes biometric data unique to you, such as fingerprints, facial recognition, or retinal scans. This factor is considered the most secure, as biometric traits are extremely difficult to replicate.
By combining two or more of these factors, MFA creates a layered defense that dramatically increases the security of your accounts, making it exponentially more challenging for unauthorized users to gain access.
Two Powerful Options: Authenticator Apps and Hardware Security Keys
Option 1: Authenticator Apps
Authenticator apps are free, easy-to-use smartphone applications that generate temporary codes for logging into your accounts. These codes change every 30 seconds, making them much more secure than traditional SMS-based two-factor authentication.
Benefits:
- Free and easy to set up
- Works without an internet connection
- More secure than SMS-based authentication
- Can be used with multiple accounts
Option 2: Hardware Security Keys
Hardware security keys are small physical devices that plug into your computer or connect wirelessly to your smartphone. They provide an even higher level of security than authenticator apps.
Benefits:
- Extremely resistant to phishing attacks
- No need for batteries or internet connection
- Can be used across multiple devices
- Some keys support biometric authentication for added security
A common question I get is, why a hardware key, if stolen with your laptop, doesn't compromise your security. Here's why they keep you safe even if stolen along with your device:
Physical interaction required: Most hardware keys require a physical touch or press of a button to activate. This means that even if the key is plugged in, it won't automatically grant access without your intentional interaction.
No stored passwords: Hardware keys don't store your passwords or login information. Instead, they use cryptographic protocols to prove your identity to the service you're logging into. This means a thief can't extract your passwords from the key.
Limited use window: When you use a hardware key, it typically only authorizes access for that specific login session. Once you log out or close the browser, the authorization is invalidated.
Two-factor, not single-factor: Remember, the hardware key is just one part of the authentication process. You still need to know your password, which isn't stored on the key or your laptop.
Unique key per service: Hardware keys generate unique cryptographic keys for each service you use them with. So even if someone somehow extracted information from the key (which is extremely difficult), they couldn't use that to access your other accounts.
Ability to revoke: If your laptop and key are stolen, you can quickly revoke the key's access to your accounts from another device, rendering it useless to the thief.
Step-by-Step Setup Guide
Let's walk through setting up both options, starting with the authenticator app as it's free and a great starting point.
Setting Up an Authenticator App
1. Download Google Authenticator or Microsoft Authenticator from the Apple App Store or Google Play Store. There are others, but these are the big two.
2. Add your first account:
- Open the app and tap the "+" or "Add account" button.
- You'll be given two options: "Scan a QR code" or "Enter a setup key".
3. Enable 2FA on your account:
- Log into the account you want to secure (e.g., your email or social media account).
- Go to the security settings and look for "Two-factor authentication" or "2FA."
- Choose "Authenticator app" as your 2FA method.
- You'll see a QR code on your screen.
4. Link your account:
- In the authenticator app, choose "Scan a QR code."
- Use your phone's camera to scan the QR code on your computer screen.
- The app will now show a 6-digit code that changes every 30 seconds.
5. Finalize setup:
- Enter the 6-digit code from your app into the website to confirm setup.
- Save any backup codes provided by the website in a secure location.
Setting Up a Hardware Security Key
1. Purchase a security key:
- Choose a reputable brand like YubiKey or Google Titan Key.
- Ensure it's compatible with your devices (USB-A, USB-C, or NFC).
2. Register your key:
- Log into the account you want to secure.
- Go to the security settings and look for "Security Key" or "FIDO2" options.
- Choose to add a new security key.
3. Connect your key:
- When prompted, insert the security key into your computer's USB port or tap it against your phone (for NFC-enabled keys).
4. Activate the key:
- Touch the button or gold disk on your security key when prompted.
- Give your key a name (e.g., "Office Key" or "Backup Key").
5. Test your key:
- Log out of your account and try logging back in.
- When prompted, insert or tap your security key and touch the button.
Using Your New Security Method
For Authenticator Apps:
- When logging into your account, after entering your password, you'll be prompted for a code.
- Open your authenticator app and enter the 6-digit code displayed for that account.
For Hardware Security Keys:
- After entering your password, you'll be prompted to insert or tap your security key.
- Insert the key into your USB port or tap it against your phone, then touch the button on the key.
Pro Tips
1. Add all your important accounts to your authenticator app or security key for comprehensive protection.
2. Always set up backup options (like backup codes or a second security key) in case you lose access to your primary method. Print the backup codes if you go that route and keep them with important papers -- don't keep a file or screenshot on your device.
3. Never share your authenticator codes or let anyone borrow your security key. Watch out for fake phishing messages claiming to be your bank or other important account source, requesting your code. If you are not actively logging in, don't enter your code.
4. Periodically review which apps and websites you've enabled 2FA on and update as needed.
5. One word of warning: MFA makes you a whole lot more secure, but if you click on a phishing site and enter your account info and code, it won't do you much good. Be careful what you click on.
By implementing these additional security measures, you're significantly reducing the risk of unauthorized access to your accounts. Remember, it might feel a bit cumbersome at first, but with practice, it becomes second nature – and the peace of mind is invaluable for you and your business. Your business deserves this level of protection, and you deserve the peace of mind it brings.
