Multi-Factor Authentication & Not Looking “Sus” in Among Us

Among Us, a mobile and desktop application taking the world by storm, is a game where up to ten participants (or “crewmates”) work to complete all the tasks on their broken spaceship to win. The only hiccup is up to three of these crewmates are “imposters”. The imposters actively work against this objective by *cough* eliminating other participants. Participants can occasionally meet to vote to kick off a crewmate who they suspect (aka “sus”) as being an imposter. It is a game much like Mafia or Werewolf, with a lot of finger pointing, accusing each other of being “sus”, mistaken identity, and fun frustration.

While these games are for entertainment, a similar exchange happens every time you log into a website or application. Security is always a top priority when it comes to your data, especially when you are interacting with that data on an unsecure network like the internet. 

So how does your web application know if you are really you?

Most web applications require two pieces of information for a user to login: a username/email and a password. However, these two pieces of information can easily be compromised. Email addresses are not secrets and, unfortunately, people like to use weak or easy passwords. What’s worse, if an imposter wishing to impersonate you has access to your email, they can easily use the applications password “reset password” feature to gain access to your information. 

How do we stop these imposters?

In Among Us, certain tasks will cause an animation to occur or momentarily leave some sort of proof that you completed that task. Imposters cannot complete tasks. Therefore, if someone else witnesses you complete one of these tasks, they can vouch that you are not an imposter. While you may claim to be a crewmate and not an imposter, having someone else there to back up your claim helps prove your statement as authentic. The same theory applies to websites.

Two-Factor Authentication

Two Step Authentication, Multi-Factor Authentication, and the more common phrase Two-Factor Authentication (2FA) all mean the same thing, using a second method to verify that you are who you say you are. Just typing in your username/email and password is one factor in your authentication. You are claiming you are your username/email and you do have the correct password giving yourself some legitimacy. 

However, this may not be enough to prove you are you. With 2FA, after you pass this first factor of authentication, you are not given immediate access to the application. Instead, you will be prompted to enter in a one-time use code to gain access. This code may be sent to you through a text message or maybe an automated phone call. Since providing this code to you is done through your phone and outside of the communication cycle of the application and your email, an imposter would be less likely to have access to it and therefore know the code to impersonate you.

There are many forms of 2FA. Like in the example above, an automated phone call or text message is some of the most common forms of 2FA. Some companies are building their own 2FA authentication applications like Google’s Authenticator. There are also forms of physical and disconnected 2FA. For example, and more commonly found in the banking industry, a small keychain-like device will display a new code every minute to enter while you log in to the web application.

2FA is also cost effective. Using email or other digital 2FA are usually free. Phone services are not free, but still cheap with text messages being as low as $0.0075 a message.

By adding 2FA to your website you might slow down the login process, but it makes it much more secure. 

To learn more about adding 2FA to your website, contact your Vanguard client manager today.