What is multifactor authentication (MFA) and how can it protect your computer? With MFA, the user is granted access only after presenting two or more factors to an authentication service. Possible factors include something you know, such as a password or passphrase, something you have, such as a smart card or token, or something you are, such as your fingerprints or retina.
Although a strong, complex password is always better than choosing an easily guessable password, attackers can circumvent strong passwords. They may ask for your password over the phone, via email or from a malicious website that looks legitimate. They could find a password stored on your computer or written down, or they could intercept a password from an insecure public network or by using a keylogger installed on your computer. To avoid detection, attackers may try to slowly brute force a password which involves repeated login attempts using every possible letter, number and character combination to guess a password. Most importantly, a password provides no real assurance that the user is who they say they are, only that they know the password. The federal government issues smart cards that meet the Homeland Security Presidential Directive 12, Personal Identity Verification (PIV) card standard. It requires multiple forms of identification and a background investigation to obtain a card. The card contains a digital certificate issued from an organization already trusted by your computer. It also requires entering a unique PIN when using the card. This provides far stronger protections than a simple password.
MFA is a good idea to consider at home to keep your personal information safe. Many websites allow you to use a free app on your smartphone containing a software token rather than a password.
LMS-PROC-22 Protection of Controlled Unclassified Information requires MFA when using the PIV card for anyone with access to controlled unclassified information (CUI). This is information that cannot be released to the public, which if improperly disclosed could adversely affect the national interest, federal initiatives, or the privacy of individuals or other organizations. If you suspect you work with controlled unclassified information and are not yet logging into your computer with a smart card, please check with your divisional cyber security program representative.
For additional information regarding the proper handling of CUI, email the OPSEC office.