Understanding MFA and Other Security Measures

We recently added a new home-user client through the Nextdoor website, and during our initial conversations, we covered a lot of security issues. The new client, an elderly gentleman, had a really good handle on his online security. There’s a lot for us to unpack as individuals and as those who have elderly parents – though some of this can apply to everyone.

First, let’s look at passwords. While this discussion is inspired by our new client, our conversation can apply to anyone because we never know when someone will not be able to access vital personal information either stored on a computer or device or in the cloud.

When we take on a new elderly client, we spend a lot of time talking about online security, including passwords, password managers and MFA. We were heartened to learn our new client knew all about using his passwords properly. He seemed to understand the system better than many of our younger clients.

When he asked about using a password manager, a subject he brought up, we advised against it. While password managers can greatly enhance online security and can be extremely convenient (think about accessing a website from your mobile phone when you’re in an urgent situation), everyone needs to know the law of unintended consequences. Every password manager has an encryption key, and if you don’t have the master password with that encryption key, you won’t get in. That includes you as the account owner and anyone who might need to get into a website.

We told him it would be preferable to write all his passwords in a book. It doesn’t need to be locked in a safe, but it should be kept in a secure place – and at least one other trusted person should know where it is. This is critically important for the elderly or anyone else who may need someone to manage their affairs because of some impairment or death.

Second, let’s look at forms of security generally known as two-factor authorization (2FA) or multi-factor authorization (MFA).

We discussed using MFA for his online banking and financial activity, and he said: “That is so easy, everyone should be doing it.”

I agree wholeheartedly. It’s not that complicated to use it once you set it up. In most cases, you can link the authorization to a specific device or devices, such as a computer, tablet or phone. When you do that, you can sign into a website account from the authorized device(s) without going through the authorization every time – or you can set it up to require authorization every time. It becomes difficult if somebody is trying to sign into your account from another device, but of course, this is what the process is designed to do.

The way most MFA processes work is that when you sign in from a device, a code is sent by text message to a phone or to an email address. Once you receive the code, you enter it on a designated page associated with the website. The complication will come if someone is truly signing in on your behalf from an “unknown” device. That person will need access to the authorization message.

Another security measure that works for iOS devices is Apple’s iCloud Keychain. Functioning like a password manager to some extent, it allows you to use your device access code to activate a complex password to enter a secure website.

We can help you understand all the benefits and pitfalls of using MFA. The big problems, obviously, are to make sure you don’t lock yourself out of your account and know what do to if your phone is not working. Call us – 973-433-6676 – or email us to get comprehensive information about MFA and password managers and to configure your systems to work best for your needs.

Who’s Your Office 365 Partner?

As an Office 365 administrative partner for almost all of our clients, we have extraordinary access to your systems – and a huge responsibility. You depend on our honesty and competency to keep your systems running and protect you from breaches. Some of our colleagues are not as good about this. Microsoft finally provided some tools to strengthen security.

We’re shocked it took Microsoft so long to do this, but they finally are requiring outside administrators, such as Sterling Rose, to keep two-factor authentication turned on at all times. We instituted this control years ago on all of our administrative accounts.

What brought the issue to a head? When Microsoft Office 365 went mainstream by making the subscription service available to individual users, families and small home-office businesses, it created a lot more accounts for us to service for our clients. It also created a password nightmare.

As administrators, we can go into accounts to see what’s needed to make sure you and anyone included in your subscription can do what’s needed. In most cases, we go in when called on to solve a problem. We are scrupulous about signing out properly, effectively shutting the door to your account on our end, and we have been scrupulous about two-factor authentication to protect access from our end.

In our opinion, the two-factor authentication covers the laziness or carelessness of some IT providers – and it also protects Microsoft from being responsible for any losses of data not connected to a Microsoft meltdown.

That puts the data-protection ball back in our court. We want to make sure you have your side of the court covered, and here are some things you can do. The big thing, of course is to have all of your files backed up. Microsoft OneDrive does this, but we don’t recommend it to be your only storage location. Azure, another Microsoft product, has backup and restoration capabilities, and there are other providers.

On our side of the court, we have two-factor authentication and other tools that fall under the label of cyber resiliency. Through the Information Technology Laboratory of the US Department of Commerce, a three-level approach to cybersecurity is being developed and refined. The first level, of course, is to resist penetration by cybercriminals. It’s an approach that’s been around, but we’ve learned that no defense can be entirely impervious.

Thus, we have two additional layers. One layer seeks to limit lateral movement within a system once it’s been penetrated. The strategies include barriers to gaining permissions to move laterally within a system, a technique that hackers use to get to other systems. Defenses can include time limits to lock out an intruder or limit the amount of data that can be exported from a system under attack. Another defense is to provide misinformation. Another layer of security will allow a system to operate while under attack so that business won’t be disrupted.

This gets us back to why it’s so important that Microsoft hardened its defenses for Office 365. It provides one more defense against penetration. At the same time, it provides another reason for your IT providers to have access to your system.

We have access to some of the tools needed to limit lateral movement within a system, many of them customized to your needs. Call us – 973-433-6676 – or email us to set up an appointment to discuss your needs and implement a plan.