On the LastPass blog, we are always telling you the importance of good password behavior. But multi-factor authentication is just as important to protect yourself or your business from a security breach.
Almost every week you hear about another site or app being breached. Today’s TimeHop breach is the most recent example of a company where a breach could have been prevented by multi-factor authentication (MFA).
Many of these breaches are caused by weak or reused passwords (81% according to the 2017 Verizon Data Breach Report). We can’t stress enough the value of a password manager like LastPass to help you, your family, or your employees manage their passwords and create strong, unique passwords. But then MFA comes in to provide a second level of defense.
So what is MFA?
Multi-factor authentication (sometimes also called two-factor authentication) is a feature that requires you to have more than just your username and password to log in to an account. After you enter your username and password it also requires a second piece of information – like a one-time code or your finger print.
You have to provide that second piece of information – whether it’s a code, or a temporary password, or the swipe of a finger – before the account can be accessed. If the correct information isn’t provided, the account remains locked.
How can MFA prevent breaches?
In the case of TimeHop, an employee’s credentials were leaked, which allowed a hacker to log in to their system. If TimeHop had required MFA to that system, the hacker would have entered the stolen username and password and then would have been asked for a second form of authentication. This would trigger an alert to be sent to the actual user’s phone or email asking them to authenticate. Since the hacker would not have access to that second piece of information, they would not have been able to log in and the breach could possibly have been prevented.
What should you do now?
First, start by enabling MFA for your LastPass account. If you are a personal user (either with our Free, Premium or Families products) follow the instructions here. If you are an admin for a business account (Teams or Enterprise) you can make multi-factor required or optional for employees – instructions found here. We encourage our admins to enforce MFA wherever possible in the workplace, such as with single sign-on, user directory, and any other sites that allow for it.
Also, it’s important to remember that you should turn on MFA for more than just LastPass. Web apps like your email account, Venmo, PayPal, Slack, Twitter, Facebook, and others all offer MFA.
Using LastPass and MFA together allows you to combine two secure practices: strong, unique passwords on all of your accounts, and an additional layer of security. Together, these allow you to rest easier as the news of breaches continues to roll in because your online accounts are protected to the best of your ability.