An update to ALTA’s Title Insurance and Settlement Company Best Practices that goes into effect in January requires the use of multifactor authentication (MFA) for all remotely hosted or remotely accessible systems storing, transmitting or transferring non-public personal information.
Multifactor authentication is different than the traditional method of logging into an account with a username and password. If you’re one of 54 percent of consumers who use five or fewer passwords for all their accounts, this is risky security that allows hackers to take down multiple accounts just by cracking one password. MFA is a more secure way to protect NPI and accounts.
You probably already use MFA in some form. You just don’t know it. You’ve used MFA if you’ve:
- swiped a bank card at the ATM and then entered a PIN (personal ID number).
- logged into a website that sent a numeric code to your phone, which you then entered to gain access to an account.
MFA, also known as two-factor authentication (2FA), credentials fall into three categories:
- Something you know: This includes passwords, PINs, combinations, code words, etc.
- Something you have: This includes all the physical objects such as your computer, phone, keys, USB drives and token devices.
- Something that you are: This includes any part of the human body that can be offered for verification, such as fingerprints, palm scanning, facial recognition, retina scans, iris scans and voice verification.
Let’s use logging into a bank account as an example. If MFA is turned on or the bank turned it on for you, the first thing you’ll do is type in your username and password. As a second factor, an authenticator app generates a one-time code that’s entered on the next screen. The code is often sent to your phone. In many cases, most MFA approaches will remember a device. So, if the same computer or phone is used, the site remembers the device as the second factor.
According to a survey by Google, experts say using MFA is one of the top three things that can be implemented to enhance online security. The other two practices are to install software updates and use unique passwords.
Source: ALTA Blog