FAQ
Do I still need a strong password if I use 2FA?
Yes, having a strong password is still important even if you use two-factor authentication (2FA). Here’s why:
-
Defense-in-Depth: 2FA adds an extra layer of security, but a strong password is your first line of defense. If someone can guess or crack your password, they might still be able to try other methods to bypass or compromise your 2FA.
-
Password Reuse and Breaches: Many people reuse passwords across multiple sites. If one site gets breached, a weak or reused password can give attackers access to other accounts, even if they’re protected by 2FA.
-
Protection Against Phishing: Strong passwords reduce the chances of someone successfully phishing your credentials. While 2FA can help protect against unauthorized access, a strong password makes it harder for attackers to succeed in their attempts.
-
Varied Attack Methods: Attackers use various methods to compromise accounts, including brute force attacks and credential stuffing. A strong, complex password helps ensure that these methods are less effective.
So, while 2FA significantly boosts your security, combining it with a strong, unique password is a best practice for keeping your accounts as secure as possible.
Can I receive my SCIO's OTP as an SMS or via email?
No, receiving one-time passwords (OTPs) via SMS or email has several security drawbacks. To enhance the security of your accounts and eliminate these risks, we chose to use an Authenticator App for OTPs. Here are a few of the drawbacks associated with receiving OTPs via SMS or email:
-
Phishing Risks: SMS and email can be vulnerable to phishing attacks. An attacker might trick you into providing the OTP by impersonating a legitimate service or tricking you into visiting a fake site.
-
SMS Interception: SMS messages can be intercepted by attackers through various means, such as SIM swapping or network vulnerabilities. This can potentially expose your OTP to unauthorized parties.
-
Email Compromise: If your email account is compromised, attackers could access OTPs sent to your email. This could give them access to accounts or services that use email-based OTPs for authentication.
-
Lack of Encryption: SMS messages are not encrypted during transmission, which means they can be intercepted and read by anyone who can access the network traffic. Similarly, emails can be intercepted, especially if they're not encrypted.
-
Delayed Delivery: SMS and email OTPs can sometimes be delayed due to network issues or server problems, potentially causing inconvenience or access issues.
-
Social Engineering: Attackers can use social engineering tactics to trick users into revealing OTPs received via SMS or email. For example, they might impersonate a legitimate support agent and request the OTP from you.