VERIFICATION2
What if someone gets your password?
What’s the lesson about?
Little time, approaching deadlines, dozens of emails. In today's hectic pace, it's easy to overlook something, make a mistake, be deceived, lose a password. Be smart, anticipate this, and insure yourself with multi-factor authentication.
The module contains 3 parts:
EXTRA 15 MIN
1 Challenge
1 TUTORIAL
1. Just something "extra"?
Multi-factor authentication is like a backup parachute – you don't want to risk going without it. It's not a luxury for dedicated cybersecurity enthusiasts; it's a standard that means greater security for you and a major obstacle for attackers.
The essence of multi-factor authentication is simply not to rely only on one card, i.e., passwords. Imagine someone has obtained your internet banking password. They log in and try to transfer your money. At that point, however, the bank will ask for codes from a verification SMS or confirmation in an app (these are the additional factors). In other words, this measure provides you with an additional layer of protection.
We will introduce more ways to perform verification later. But for now, it is important to repeat: having passwords properly resolved is the foundation, but it's not enough. Therefore, wherever possible, always set up an additional verification option. Just as with the mentioned parachute, it's too late to start solving the problem only when it's needed.
2. Let's clarify this
Now that you know that multi-factor verification can significantly increase your security level, it's necessary to specify two things. First, what verification options you have. Then, we will discuss where you should implement them.
Verification methods
Something you know (pin, code), something you have (key, card), something you are (fingerprint, eye scan). These are the basic categories distinguished by theory. This textbook explanation concludes here.
We have selected three verification methods we consider most important for you to know. Below, we provide the most important information about each in several bullet points.
One-time codes in messages
- 🟡
Many services use verification with a code that you receive in an email or SMS message. This method is not ideal, but if you have no other option, use it.
🟡 - However, beware of securing your phone. Enabling SMS previews on a locked phone significantly weaken the method, as does not protecting your phone by locking the screen. For more information about securing your mobile, look at Device Protection.
- 🟡
- And what if you lose your phone? In this case, you can issue backup codes in advance – keep them securely stored. For example, in a password manager. You can also print them out, but be careful, as no one must gain access to them.
One-time password from an app on your mobile
🟡
The code doesn't have to come only through messages. This variant of verification uses an app on your mobile.
🟡
Think of it as a calculator that calculates a new code every 30 seconds. You then use this code for verification.
🟡
This approach is also used by Masaryk University and we will show you how to use it in another part of this module.
🟡
You can count on it to protect you from a significant portion of existing attacks. It also prevents the attacker from selling your password.
🟡
The basic weakness is that if the attacker manages to create a fake page where you enter your password, they can also create a fake form where you enter your verification code. This gives them both pieces of information to log into your account. For this reason, we recommend verification using a security key.
Security Key
- 🟡
A security key can take the form of a physical token or a software (SW key) that is linked to a physical device.
- 🟡
Unlike previous methods, this method protects you even from an attack in the form of a fake page – the key simply recognizes that it's not where it should be and does not allow verification. - 🟡
Therefore, it is a very good and convenient solution, the only disadvantage being the need to set it up – and we will help you with that in the third part of this module.
Where to implement multi-factor authentication?
Some services will make it easier for you to find the answer and simply force you to set up multi-factor authentication. Elsewhere, however, it will be your choice. Our recommendation is to use it wherever possible. However, if you're looking for the path of least resistance, follow our list of priority areas:
The essential minimum where to activate multi-factor authentication:
- Personal email.
- All accounts where you have financial resources (banking, investment accounts, etc.). These services should enforce it anyway.
- All accounts to which you have connected a credit card (e-shops, gaming portals, content subscriptions).
- Use a password manager if allowed. Bitwarden, our recommended choice, provides multiple options.
- Work and school information systems – you will find instructions for MUNI below.
- Profiles on social networks.
- Accounts where you have administrative rights.
- All services or systems that process sensitive information (e.g., health status, private notes, etc.).
Challenge: Implement multi-factor verification
Below we have guides for you on how to implement multi-factor verification at the university.
For your other services, you can usually activate it in the settings, in the section focused on security. Sometimes you can also find it under the names "multi-phase verification," "two-phase verification," or "two-factor authentication." We have selected at least a few guides for setting up some popular services:
A few practical tips:
- First, create a list of services where you need to implement multi-factor verification. Then reserve 45 minutes in your calendar.
- In the designated time block, get started, follow the guides. Start with the first service on the list. Once you're done, check off the service and continue with the next.
- See how much you can accomplish! And if you can't manage everything at once, plan another block for continuation. You can be sure it's a meaningful use of your time.
In this part, we’ll show you how to implement multi-factor verification at Masaryk University. First, we’ll describe how to set up verification through a one-time code in an app and then using a security SW key.
At MUNI, both verification methods are related. Our primary goal will be to use the SW key, but a one-time password in an app can sometimes come in handy as a backup – for example, when you are not logging in from a device where you have the SW key installed. The whole process has only two basic steps.
Tutorial: Two steps to certainty thanks to verification
-
#1
Get your first verification code
🟡
Setting up TOTP verification codes is the foundation of the entire process. It works based on generating codes using an app on your device. We will show you exactly how to do it in the video guide.🟡
Just for this case, we will show you how to generate backup codes as well. You can then safely store or print and keep them.
🟡
Now choose a guide according to your operating system and set the verification codes accordingly. -
#2
Add a security key
🟡
The result of this step will be that your mobile or computer itself becomes a security key. Don't worry if you don't have experience with this yet. Our guide will help you.🟡
You can create more such security keys – for example, from a home computer and at work, and also on a mobile. Each device must be done separately.
- To work safely with passwords, we need a safeguard, which is multi-factor verification.
- We can use different methods for verification. Each is better than none, but we especially recommend SW security keys.
- Verification is set up separately for each service (and often device), we recommend reserving time for it and starting according to the MUNI guides.
Bonus for curious users
Setting up verification in IS MU
Multi-factor verification only applies to services that use Unified MUNI Login. To activate multi-factor verification for IS, it needs to be activated in the Information System using this guide.