Republic of the Philippines
National Police Commission
PHILIPPINE NATIONAL POLICE
Camp BGen Rafael T Crame, Quezon City
ACG-CYBER SECURITY BULLETIN NR 187: Understanding the Importance of Multi-Factor Authentication
Reference Number ACG-CSB 042120187
The following information was obtained from different cyber security sources for notification to all parties concerned pursuant to the mandate of the Philippine National Police Anti-Cybercrime Group (PNP ACG) and classified as “Restricted” pursuant to the PNP Regulation 200-012 on Document Security and Impact Rating as high based on PNP Information Communication Technology (ICT) Security Manual s.2010-01 p. 22 and p.129.
Cyber criminals persist year after year. Whether for school or social networking, work or entertainment, millions of people around the globe use the web daily. However, not everyone uses it with good intentions.
Hacking or illegal access can affect thousands of people, even large businesses. Hackers use different methods to acquire passwords and other information in order to change a website’s contents, send emails from someone else’s accounts and steal private information.
Passwords are ancient, they’ve been used for centuries to protect people and information. In the early years of technology, they seemed like the best solution for controlling access to systems with sensitive data. Over the years, passwords and password encryption methods have become more complex. Computers do not know when a password has been compromised, it just grants access to whoever enters it. This lack of proof of identity is an obvious flaw in passwords today. Businesses cannot always monitor employees and users to make sure they are using best practices. Most people use the same or similar passwords for almost all accounts.
It should be obvious that using Multi-Factor Authentication (MFA) helps with cybersecurity because it is a combination of three or more authentication factors such as something you know, something you have, and something you are (biometrics). MFA or sometimes also called two-factor authentication is a feature that requires more than just username and password to log in to an account. After entering username and password it also requires a second piece of information like a code or a temporary password or the swipe of a finger before the account can be accessed. If the correct information is not provided, the account remains locked.
One of the major issues with passwords and tokens is that they cannot prove identity. Biometrics solve that problem. Adding biometrics as an authentication factor such as fingerprints, facial patterns, voice or typing cadence is the best way to prove identity because your biometrics are you. Identity-based access control is a significant improvement over alternative authentication factors because you cannot forget it, you cannot lose it and they are extremely difficult to steal and unique to you.
In today's online environment, the fundamental “username and password” approach to account security can be easily breached by cyber criminals. Many log-ins can be compromised in a matter of minutes and private data such as personal and financial details is under increasing threat. Wouldn't it be nice if your online accounts let you know when someone new is trying to get into them? Even better, wouldn't it be terrific to make a stolen password useless to others?
With the increase of cyber-attacks on organizations, password strength cannot be relied on as the only layer of protection for an organization to preventing threat actors from gaining unauthorized access. Although not bullet-proof, multi-factor authentication is a proven way to lessen the likelihood of a data breach via a compromised password.
All PNP personnel as well as the public are advised to follow the importance of Multi-Factor Authentication to avoid being a victim of cybercrime:
• The use of MFA prevents unauthorized access to sensitive data;
• Make sure automated phone calls use clear messages that let the user know someone is trying to log-in;
• Strengthen overall security as everything required by the system is not available to the people wanting to steal data and gain access to a system;
• Take a step towards compliance that will support the protection of sensitive data like financial, personal or business information; and
• Do not allow high-value, high-risk clients to authenticate with less secure MFA methods like social verification.
For additional information, please refer to the following websites:
POINT OF CONTACT