Updated 11/20/2019
On the LastPass blog, we are always telling you the importance of good password behavior. But multi-factor authentication is just as important to protect yourself or your business from a security breach.
Almost every week you hear about another site or app being breached. And many of those breaches could have been
prevented by multi-factor authentication (MFA).
Many of these breaches are caused by weak or reused passwords (80% according to the 2019 Verizon Data Breach Report). We can't stress enough the value of a password manager like LastPass to help you, your family, or your employees manage their passwords and create strong, unique passwords. But then MFA comes in to provide a second level of defense.
So what is MFA?
Multi-factor authentication (sometimes
also called two-factor authentication) is a feature that requires you to have more than just your username and password to log in to an account. After you enter your username and password it also requires a second piece of information – like a one-time code or your finger print.
You have to provide that second piece of information – whether it’s a code, or a temporary password, or the swipe of a finger – before the account can be accessed. If the correct information isn’t provided, the account remains locked.
How can MFA prevent breaches?
When breaches happen at large companies, it is often the case that a hacker got a hold of an employee's credentials and was able to hack into their system. Had that company required MFA to that system, the hacker would have entered the stolen username and password and then would have been asked for a second form of authentication. This would trigger an alert to be sent to the actual user's phone or email asking them to authenticate. Since the hacker would not have access to that second piece of information, they would not have been able to log in and the breach could possibly have been prevented.
For you as the end user, MFA is important because if your data is stolen through a breach, having an added layer of security can prevent access to your account. For example, if someone gets access to the username and password for your email account - they can try to log in but won't be able to without providing a second form of authentication (like a code texted to your phone, or use of an authenticator app on your phone).
What should you do now?
First, start by enabling MFA for your LastPass account. If you are a personal user (either with our Free, Premium or Families products)
follow the instructions here. If you are an admin for a business account (Teams or Enterprise) you can make multi-factor required or optional for employees –
instructions found here. We encourage our admins to enforce MFA wherever possible in the workplace, such as with single sign-on, user directory, and any other sites that allow for it.
Also, it's important to remember that you should turn on MFA for more than just LastPass. Web apps like your email account, Venmo, PayPal, Slack, Twitter, Facebook, and others all offer MFA.
Using LastPass and MFA together allows you to combine two secure practices: strong, unique passwords on all of your accounts, and an additional layer of security. Together, these allow you to rest easier as the news of breaches continues to roll in because your online accounts are protected to the best of your ability.
