Written by:  Van Nguyen, FPQP™

If you do online banking, pay bills online, or log into your investments accounts online, you have undoubtedly encountered the joys of multi-factor authentication.  In addition to the standard username and password, you are required to verify your identity a second way that fits into one of three categories:  something you know, something you have, or something you are.  This can be a hassle, but is a necessary evil in today’s environment of growing cybercrimes.

Something you know.  This is the most well-known form of verification.  The list of things included in this category are passwords, pin numbers, or answers to security questions. These security measures are probably what everyone is most familiar with and are, unfortunately, the easiest to hack.  Most financial institutions require security questions or some other form of verification in addition to a password or pin.  More recently, we’ve observed that many institutions are moving away from security questions as a second form of authentication, or have started to require that new questions be set in place for an account every so often because they can be relatively easy to guess from information in public records.

Something you have.  This category includes a phone, a separate email account, an authenticator application, or a key fob.  The institution will require that you have at least one of these items linked to your account so that a time-sensitive code can be sent to you or generated using the app or fob.  The chances of randomly guessing a pin using only 4 digits is 1 in 10,000.  The codes received from a financial institution using something from this category are usually fairly long because the chances of someone guessing what the code may be are exponentially reduced with each additional digit.

Something you are.  This category uses biometrics such as fingerprints, retina scans, voice recognition, or facial recognition to verify your identity.  Items in this category are probably the newest in authentication technology.  Some older devices may not be precise enough and may be easily circumvented.  For example, someone could record you talking and possibly get around the voice recognition security measure.  However, technology on newer devices has improved tremendously.  As an example, my son and a few of his Asian friends set out to disprove the stereotyped phrase, “All Asians look alike.”  They each had a different phone that had facial recognition.  They tried to unlock their phones using the faces of others who looked similar to them.  They also used photographs of themselves.  Neither of these techniques worked with the facial recognition; only their actual faces allowed them access into their respective phones.

Why is a second form of authentication necessary in today’s technology-based environment?  Here are some statistics.  “Weak or stolen credentials are hackers’ weapon of choice, used in 95 percent of all Web application attacks.  From 2013 and 2014, the number of successful breaches went up by 27.5 percent…. Password theft is constantly evolving as hackers employ methods like keylogging, phishing, and pharming.”  Additional statistics provided in a Telesign study show that having a password alone is not enough.  According to the study, 54 percent of consumers have used five or less passwords since going online; 47 percent are using passwords that are up to 5 years old; 40 percent have experienced a security issue in the past year.  Adding another layer of protection would reduce these numbers.

The days of being able to log into an account using only your password are becoming a thing of the past.  Today’s technology makes it too easy for hackers to steal your information.  Many companies are at least letting you choose to add an additional layer of protection for your accounts to combat the growing security problem.  Agili’s client portal is set up this way.  If you are a client and have not already set up your account for a second form of authentication and would like help doing so, please contact our Client Services Manager.  To protect our client’s personal data, multifactor authentication is required for Agili’s employees who have access to the portal.