Passwords - The First Line of Defense
It is common knowledge that good account security starts with a strong complex password for all of your online accounts. However, it takes much more than a good password to protect yourself from security threats. Two-factor authentication (“2FA”), also known as multi-factor authentication (“MFA”) can enhance the security of your account.
Why Passwords Alone Aren’t Enough
While passwords offer some protection against risk, they can still leave your account vulnerable to theft.
A 2019 Google study found that 64% of surveyed participants admit to reusing passwords across multiple sites. This is problematic because even if a password is complex, if it is being reused for other websites, a data breach at Adobe or LinkedIn, for example, could lead to their data getting breached across multiple accounts through a process known as credential stuffing.
But password reuse is not the only downside of single-factor authentication. There are other methods that attackers use to steal passwords including phishing, which involves fraudulently asking the victim for sensitive information via email, SMS, or a phone call; keylogging, which involves secretly recording the keys struck on a keyboard; and pharming, which involves the installation of malicious code onto a device that redirects users to a fraudulent website where they enter sensitive information.
How does 2FA Keep Your Account Secure?
While no recordkeeper or other service provider can thoroughly protect the security of any online account, we are implementing mandatory 2FA on all accounts to help prevent unauthorized individuals from accessing your Vestwell account. We leverage 2FA so that we can pair something you know (like your password) with something you have (like a code from an authentication application or a text on your phone).
By adding a second factor to your account authentication flow, even if your account password is compromised your Vestwell account can still be protected. Even targeted attacks are more difficult because the attacker would be required to access two different forms of authentication. At Vestwell, we offer multiple methods for setting up 2FA available today, which you can do via SMS 2FA and TOTP 2FA.
SMS-based 2FA is among the most widely used type of 2FA today. It works by sending a one-time code to your mobile phone via text message, which you then enter to access your account. This option offers a seamless experience on mobile due to the auto-fill capabilities on iOS and Android that allow you to stay within the application experience when inputting the passcode. A Google study showed that SMS-based authentication "can block up to 100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks".
You should understand that there are limitations with SMS 2FA which include:
It requires cell phone service to receive your one-time password
It is tied to a specific phone number
SMS one-time passwords (OTPs) don’t expire for several minutes, which gives attackers time to conduct a cyberattack
SMS is not always end-to-end encrypted so an attacker could potentially intercept the OTP during transport on a telephony network
Time-Based One Time Password (TOTP) 2FA
TOTP 2FA uses an authenticator app on your smartphone (such as Google Authenticator or Microsoft Authenticator) to generate a one-time code that changes every 30 seconds to give little time for a potential attacker to conduct a cyberattack. To access your account, you need to enter the current code displayed on the app. TOTP 2FA is considered to be more secure than SMS-based 2FA because it is less susceptible to intercepts and spoofing. Additionally, TOTP 2FA does not rely on a phone number, so it can be used with any device that has the app installed. TOTP also doesn’t require personally identifiable information to be shared during setup, doesn’t require a network connection to generate codes, has stronger proof of possession (since it can’t be accessed from multiple devices concurrently), and generally authenticates an account faster than SMS. We encourage you to set up both TOTP and SMS 2FA so that if one method fails, you can still leverage your backup option in order to access your account. Now that you know the many benefits of 2FA, make sure to log in to your Vestwell account and set up 2FA today!