Ask Christopher: Enable MFA For Password Reset

by Christopher Perry 0 Comments

It is now November 2020 and the COVID-19 pandemic is still in full swing. Pandemic culture requires everyone to spend more time at home, affording additional opportunities to take advantage of the myriad benefits found in the digital age. During this particular season, I’m talking about shopping online, of course! The increase in dependency on online activity has also led to an increase in the risk of becoming a victim of cybercrimes. That is the mentality behind a recent question that comes up every year, but even more so now that the world is being assaulted from all sides.


The Questions:

“Should I enable Multifactor Authentication for Password Resets?”

The Answer:

Without a doubt.

My stance on MFA for Password Reset does not vary based on the holiday season. You should implement MFA regardless of the time of year, but the current climate does lend some weight to acting sooner rather than later. This is not a new idea. The US-CERT (United States Computer Emergency Readiness Team) issued an official warning against common Holiday Scams and Malware Campaigns back in 2017. The digital climate certainly has not lightened up in the years since.

The US-Cert warning provides fantastic considerations and best practices to remain safe while shopping online, but modern authentication security allows us to go one step further. The chicken follows the egg, so to speak.

Why Password Reset?

MFA is not a cure-all – users should feel responsible for maintaining secure practices both at work and at home. However, MFA does help ease the playing field, tipping the favor towards the user instead of the attacker. This remains true regardless of whether MFA is implemented as part of a Password Reset process, or a standard login procedure.

True MFA is implemented end-to-end to remove any vulnerabilities and plug any potential holes.

MFA during Password Reset provides a specific benefit that many organizations tend to overlook: blocking social engineering attempts.

Password Reset applies when users simply do not know the password. At this stage, users need a way to validate identity and regain access to the account. The most common approach to this issue is to use known information configured by the user.

Without MFA, attackers can simply discover the known information by mining public data about the individual. With a little effort, the attacker changes the ‘unknown’ password to a new value and gains access to information gated by those credentials. Even with MFA implemented on the specific login, knowing the current password grants a lot of leverage, especially if MFA isn’t implemented everywhere.

Furthermore, adding MFA as part of the Password Reset process also prevents malicious activity that is intended to irritate the user into complacency. MFA also lends itself to usability for the user, reducing login fatigue while offering protection from external forces.

It’s a win-win.

Why Not Use Just Challenge Questions?

At this point, many readers may be thinking about current systems in use – systems that utilize challenge questions as the known info for regaining access to an account. On the surface, these systems (often referred to as CQA – Challenge Question and Answers) offer a level of protection that is simple for the user to keep track of, without being overly invasive. The only problem with that line of thought is the fact that CQA also makes things easy for attackers.

CQA relies on shared information and simplicity – two factors that do not lend themselves to an indestructible security suite. In most cases, the questions offered for CQA are the same questions prompted for on social media, or other websites. These options make it even easier for an attacker to bypass the system and gain control. Simply put, you’re trading in one ‘known’ value for another, potentially weaker one.

MFA, on the other hand, bolsters the strength of that known value by requiring something else entirely. Even if part of the data set (the CQA, in this case) is compromised, the MFA approach stops the attacker before he or she can gain the upper hand.

Stay Home, Stay Safe

While MFA is often a hassle, it certainly does not have to be. Whether you are securing personal or professional accounts, the added security outweighs the minor inconvenience – especially when it prevents hackers from gaining access to personal, sensitive information.

Stay vigilant while ordering online, and if you can enable MFA on your accounts, be sure to take advantage of the opportunity. It is better to spend a few more moments securely purchasing gifts for your family than to spend the rest of the year buying for someone else.

Tags: MFA, Multi-Factor Authentication, password fatigue, #passwords, #passwordrecovery, #passwrds, PortalGuard#SSPR#, selfservicepasswordreset, SSPR, information systems