MFA Guide: Difference between revisions

From Irregularpedia
Jump to navigation Jump to search
Initial
 
syntax
Tag: 2017 source edit
 
(One intermediate revision by the same user not shown)
Line 1: Line 1:
<span id="what-is-mfa"></span>
= What is MFA =
= What is MFA =


Multi-factor authentication (MFA) is a layered approach to securing your online accounts and their data. When you enable MFA in your online services (like email), you must provide a combination of two or more authenticators to verify your identity before the service grants you access. Using MFA protects your account more than just using a username and password. According to Microsoft, users who enable MFA are significantly less likely to get hacked. Why? Because even if one factor (like your password) becomes compromised, unauthorized users will be unable to meet the second authentication requirement, ultimately stopping them from gaining access to your accounts.
'''Multi-factor authentication (MFA)''' is a layered approach to securing online accounts and their data. MFA requires users to provide two or more authenticators to verify their identity before accessing services. This method significantly reduces the likelihood of unauthorized access. According to Microsoft, users who enable MFA are significantly less likely to get hacked. Even if one factor, like a password, is compromised, unauthorized users cannot bypass the second authentication requirement.


It goes by many names: Two Factor Authentication, Multi-Factor Authentication, Two Step Authentication, MFA, 2FA, and UFA. They all refer to using a combination of something we have, know, or are when confirming we are who we say we are online.[1]
MFA is also called Two-Factor Authentication (2FA), Multi-Factor Authentication, Two-Step Authentication, or UFA. All these terms refer to using a combination of what the user knows, has, or is to confirm identity online. [https://www.cisa.gov/mfa Source: CISA]


MFA combines two or more independent credentials:
== MFA Combines Two or More Independent Credentials ==
# What the '''user knows''' (password).
# What the '''user has''' (security token).
# What the '''user is''' (biometric verification).


= what the '''user knows''' (password) =
= what the '''user has''' (security token) =
= what the '''user is''' (biometric verification). =
<span id="mfa-backup-codes"></span>
=== MFA Backup Codes ===
=== MFA Backup Codes ===


Backup One-Time Passcodes (OTP) are vital for deployments and should be part of every Soldier’s mental “Go Bag.” Remember one of the OTP for your most important accounts if you need to access an account on an unknown device.
Backup One-Time Passcodes (OTP) are vital for deployments and should be part of every user's emergency plan. Situations prohibiting personal devices may require using backup OTP to access accounts. Securely store backup codes and ensure they are accessible during critical times.


Situations prohibiting personal devices may require using backup OTP to access accounts.
<span id="types-of-mfa"></span>
== Types of MFA ==
== Types of MFA ==
* '''(WEAKEST)''' Text Message (SMS) or Email: A service sends a code to your phone or email, which you use to log in. While better than no MFA, SMS/email-based authentication is considered the weakest form.
* Authenticator App: Generates MFA codes on your smartphone. These codes typically expire every 30 or 60 seconds.
* Push Notification: Instead of entering a code, you approve or deny a login request via a notification sent to your device.
* FIDO Authentication: Utilizes secure biometric mechanisms or physical keys, providing a highly secure authentication method.
* '''(STRONGEST)''' Universal 2nd Factor (U2F): Hardware tokens such as CAC, Nitrokey, or Yubikey. These hardware tokens are phishing-resistant and use protocols like FIDO2 for enhanced security. [https://www.yubico.com/authentication-standards/fido-u2f/ Source: Yubico]


= '''(WEAKEST)''' Text Message (SMS) or Email: When you log in to an account, the service will send a code to your phone or email account, which you then use to log in. Note that this SMS/mail is the weakest form of MFA, and you should only use it if none of the other options are available. =
== How To Enable MFA ==
= Authenticator App: An authenticator app generates MFA login codes on your smartphone. When prompted for your MFA code, you launch the app and type in the displayed number. These codes often expire every 30 or 60 seconds. =
= Push notification: Instead of using a numeric code, the service “pushes” a request to your phone to ask if it should let you in. You will see a pop-up and can approve the login request or deny it if you did not initiate the authentication request.<br /> =
 
= FIDO authentication: FIDO stands for “Fast Identity Online” and is the gold standard of multi-factor authentication. The FIDO protocol is built into all major browsers and phones. It can use secure biometric authentication mechanisms – like facial recognition, a fingerprint, or voice recognition – and is built on strong cryptography. Often it uses a physical device – a key – essentially an encrypted version of a key to your house. More information on FIDO keys is available from the FIDO Alliance. =
= '''(STRONGEST)''' Universal 2nd Factor (U2F): Hardware tokens such as a CAC, Nitrokey, or Yubikey. Hardware tokens protect access to computers, networks, and online services that support one-time passwords (OTP),public-key cryptography, authentication, and the Universal 2nd Factor (U2F) and FIDO2 protocols developed by the FIDO Alliance. When paired with a touch-required or NFC mechanism, UFA is considered '''Phishing-Resistant''' [2] =
 
<span id="how-to-enable-mfa"></span>
= How To Enable MFA =
 
<span id="app-mfa-totp"></span>
== App MFA (TOTP) ==


The instructions below may not be exact and may be slightly different depending on the service you are using. 1. log in to the account 2. Settings 3. Security &amp; Privacy 4. Enable or Setup (MFA / Multi-Factor Authentication / 2FA / Two-Factor Authentication) 5. Select “Mobile App.” - Do NOT select SMS unless it is the only choice. 6. Select “I can’t see” or “Enter manually” to obtain MFA “seed.” - Scan QR Code with Authenticator App if the manual is not allowed 7. Securely store MFA seed in a password manager or encrypted database 8. Print the backup keys provided and save them to the encrypted database ### Recommended Software for MFA - OTP Auth ([https://apps.apple.com/us/app/otp-auth/id659877384 iOS]) - Aegis ([https://getaegis.app/ Android]) - Authenticator ([https://addons.mozilla.org/en-US/firefox/addon/auth-helper/ Firefox])
=== App MFA (TOTP) ===
Follow these steps to enable MFA with an authenticator app:
# Log in to the account.
# Navigate to Settings.
# Go to Security & Privacy.
# Enable or set up Multi-Factor Authentication (MFA).
# Select "Mobile App" (avoid SMS unless necessary).
# Scan the QR Code or enter the MFA "seed" manually.
# Securely store the MFA seed in a password manager or encrypted database.
# Print and save backup keys provided by the service.


<span id="hardware-token-ufa"></span>
==== Recommended Software for MFA ====
== Hardware Token (UFA) ==
* [https://apps.apple.com/us/app/otp-auth/id659877384 OTP Auth (iOS)]
* [https://getaegis.app/ Aegis (Android)]
* [https://addons.mozilla.org/en-US/firefox/addon/auth-helper/ Authenticator (Firefox)]


The instructions below may not be exact and cover the average service. 1. log in to the account 2. Settings 3. Security &amp; Privacy 4. Enable or Add “Hardware keys.” 5. Insert Hardware Token when prompted
=== Hardware Token (UFA) ===
Steps for enabling MFA using a hardware token:
# Log in to the account.
# Navigate to Settings.
# Go to Security & Privacy.
# Enable or add "Hardware keys."
# Insert the hardware token when prompted.


'''NOTE: About Backups:''' Configuring a duplicate hardware token and storing it in a safe location as a backup is recommended. ### Recommended Hardware for UFA <a href="https://www.yubico.com/product/security-key-c-nfc-by-yubico/" target="_blank">Cheapest 2FA Yubikey: Security Key C NFC by Yubico</a> No frills while still providing phishing-resistant UFA. &gt;TAP-AND-GO - Tap Security Key C NFC to NFC-enabled Android, Windows 10 and iOS devices and applications | Also slips into any standard USB-C port DURABLE - Fiberglass reinforced bodies protect key from everyday life PORTABLE - Fit Security Key on a keyring and carry it without any worry COMPATIBLE - Security Key fits into any standard USB-C port
'''Note: Backups'''
Configure a duplicate hardware token and store it securely as a backup.


'''NOTE: About Buying Yubikey:''' The more expensive yubikeys have additional features such as encryption and signature capability, which are more advanced and you may not need.
==== Recommended Hardware for UFA ====
* [https://www.yubico.com/product/security-key-c-nfc-by-yubico/ Security Key C NFC by Yubico]: A budget-friendly Yubikey option offering phishing-resistant UFA.


'''Note: About Buying Yubikeys'''
Higher-end Yubikeys offer additional features such as encryption and signature capability, which may not be necessary for all users.


-----
== References ==
* [https://www.cisa.gov/mfa CISA: What is MFA]
* [https://www.yubico.com/authentication-standards/fido-u2f/ Yubico: FIDO U2F Authentication]


= https://www.cisa.gov/mfa =
[[Category:Cybersecurity]]
= https://www.yubico.com/authentication-standards/fido-u2f/ =
[[Category:Authentication]]
[[Category:Best Practices]]

Latest revision as of 17:22, 3 December 2024

What is MFA

Multi-factor authentication (MFA) is a layered approach to securing online accounts and their data. MFA requires users to provide two or more authenticators to verify their identity before accessing services. This method significantly reduces the likelihood of unauthorized access. According to Microsoft, users who enable MFA are significantly less likely to get hacked. Even if one factor, like a password, is compromised, unauthorized users cannot bypass the second authentication requirement.

MFA is also called Two-Factor Authentication (2FA), Multi-Factor Authentication, Two-Step Authentication, or UFA. All these terms refer to using a combination of what the user knows, has, or is to confirm identity online. Source: CISA

MFA Combines Two or More Independent Credentials

  1. What the user knows (password).
  2. What the user has (security token).
  3. What the user is (biometric verification).

MFA Backup Codes

Backup One-Time Passcodes (OTP) are vital for deployments and should be part of every user's emergency plan. Situations prohibiting personal devices may require using backup OTP to access accounts. Securely store backup codes and ensure they are accessible during critical times.

Types of MFA

  • (WEAKEST) Text Message (SMS) or Email: A service sends a code to your phone or email, which you use to log in. While better than no MFA, SMS/email-based authentication is considered the weakest form.
  • Authenticator App: Generates MFA codes on your smartphone. These codes typically expire every 30 or 60 seconds.
  • Push Notification: Instead of entering a code, you approve or deny a login request via a notification sent to your device.
  • FIDO Authentication: Utilizes secure biometric mechanisms or physical keys, providing a highly secure authentication method.
  • (STRONGEST) Universal 2nd Factor (U2F): Hardware tokens such as CAC, Nitrokey, or Yubikey. These hardware tokens are phishing-resistant and use protocols like FIDO2 for enhanced security. Source: Yubico

How To Enable MFA

App MFA (TOTP)

Follow these steps to enable MFA with an authenticator app:

  1. Log in to the account.
  2. Navigate to Settings.
  3. Go to Security & Privacy.
  4. Enable or set up Multi-Factor Authentication (MFA).
  5. Select "Mobile App" (avoid SMS unless necessary).
  6. Scan the QR Code or enter the MFA "seed" manually.
  7. Securely store the MFA seed in a password manager or encrypted database.
  8. Print and save backup keys provided by the service.

Recommended Software for MFA

Hardware Token (UFA)

Steps for enabling MFA using a hardware token:

  1. Log in to the account.
  2. Navigate to Settings.
  3. Go to Security & Privacy.
  4. Enable or add "Hardware keys."
  5. Insert the hardware token when prompted.

Note: Backups Configure a duplicate hardware token and store it securely as a backup.

Recommended Hardware for UFA

Note: About Buying Yubikeys Higher-end Yubikeys offer additional features such as encryption and signature capability, which may not be necessary for all users.

References