Read on Twitter
There seems to be some misunderstanding around security and authentication. We talk about factors and we say things like use two factor authentication but people don’t know what that means. There are 3 factors we talk about: something you know, something you have, ...
and something you are. For it to be two-factor it has to be 2 of those. So something you know is supposed to be something only you could possibly know. Examples include a PIN number, password, or answers to security questions.
But security questions are dangerous because they are often the same everywhere and we tend to answer consistently so there is a high probability they have been compromised. Our mom’s only had one maiden name, our first pet had a single name, we have one favourite colour, etc.
But those types of questions combined with a username and password are only ONE factor. That factor is “Something you know.” Although doing those together can be another hurdle for a malicious actor.
The next factor is “something you have”. Good examples are bank/credit cards with chips. You have the card with the chip and you know your secret pin.
Other examples are one time codes texted to you, authentication apps where you have to verify it’s you logging in, smart keys, etc. It could also be a pki certificate, a specific managed device, etc (although those are out of the reach of most consumers)
Finally “something you are”. Think fingerprints, face, etc. Retina scan if you’re Admiral Kirk accessing the Genesis files. In the physical world it could be the picture on your ID badge. So you need 2 of 3 for it to be 2 factor authentication.
Of course none of these are foolproof and, if it’s profitable, criminals will work to get around them.
So how do people know your reused passwords and answers to your security questions? Because they’ve probably been stolen before and are available for sale on the dark net. So you can’t reset your mom’s maiden name but you can set a unique password. Go do it please!
And don’t use the same password with a couple of extra letters on the end or the beginning relating to the site. Computers like patterns. A study said that the number one password in Canada was 123456, the second was “password” and the 3rd was “drowssap”.
We are making this too easy Canada. But here’s some advice for good password practices. https://www.cyber.gc.ca/en/guidance/best-practices-passphrases-and-passwords-itsap30032
And here’s a place to get started if you’d like to know more about multi-factor authentication. My teams are awesome at this and there are way more details in the documents. https://cyber.gc.ca/en/guidance/secure-your-accounts-and-devices-multi-factor-authentication-itsap30030
