Lawcovernotes July 2019

2. Multifactor authentication– what is it andwhy do youneed it? Every time we log in to our computer or device, our bank account or email we are prompted to enter a username and password. Your username is probably your name (or a variation of it) and your password is probably that familiar one you use for most of your accounts. This is supposed to authenticate your identity and prevent unauthorised access to your systems, devices, accounts, services etc.; but is it enough? What is multi-factor authentication? Multi-factor authentication (MFA) is an extra layer of security making it much harder for would-be cyber attackers to get the evidence they need to access systems, accounts and the sensitive data that a legal practice holds. MFA requires the user to submit additional information along with their username and password when they access their computer, device, or other electronic accounts. The information that makes up MFA is usually a combination of: ^ ^ Something you know (username and password) ^ ^ Something you have access to (a unique code sent to your phone) ^ ^ Something you physically have or are (ID card, fingerprints or other biometrics) Every time you use anATM you need both your PIN (something you know) and your ATMcard (something you physically have) to access your bank account. If you protect your money by using MFA thenwhy wouldn’t you do the same for your legal practice? Why is MFA important? As well as reducing risk and protecting your legal practice against cyber criminals, solicitors have an obligation to take reasonable precautions to safeguard clients’ confidential information. This is why a multi- layered approach to cyber security is so important. The use of MFA reduces the likelihood of someone or something other than the user gaining the information required to access your system. If your password is compromised and you have MFA in place then the attacker can only gain access if they: 1. Know your username and password 2. Have access to your phone (for example) They need both l eve l s o f authentication. While MFA requires one extra step in the log in process, it provides a much stronger defence. Implementing MFA Implementing MFA into your existing systems and processes is quick and simple. Most operating systems offer MFA as a ‘bolt on’ or ‘plug in’ security measure which can be activated or installed. For example, Microsoft has a mobile phone app - Microsoft Authenticator, which once linked to your accounts, provides a unique, one-time-use code for users. This code is then entered (in addition to a username and password) to gain access to the device, system, or other electronic accounts. Similarly Apple have a built in software feature called