📣 Stronger login protection is available on canada.ca－enable it asap

Last updated on Jun 8, 2022

Last year, more than 9000 people had their accounts with the Government of Canada threatened by at least two attacks of credential stuffing (Helpful words: credential stuffing). About 5000 of those accounts were for the Canada Revenue Agency.

After these attacks, canada.ca began rolling out multi-factor authentication (Helpful words: multi-factor authentication) to help users improve their security. As of March 2021, multi-factor authentication is available for My Service Canada (Sources: 1).

Why is multi-factor authentication important?

Multi-factor authentication, aka MFA, is particularly useful for defending against attackers in possession of paired username-password credentials. Losing these credentials can be outside of one's control, as when they're stolen through data breaches (Helpful words: data breach).

The danger to businesses and individuals comes from people reusing the same passwords across different services. This means that passwords stolen from one service will unlock accounts at another service.

MFA helps defend from stolen or guessed passwords. MFA can use one of several methods. From canada.ca, the available options were initially phone calls and SMS.

For you young folks, SMS is how messages get sent when you're not using Signal, iMessage, and similar messaging apps.

MFA is important. Using only a username with a password is too vulnerable, too risky. Fraud can be damaging in the immediate, then be very costly to resolve (Sources: 2).

All MFA is not created equal

But we could argue that MFA relying on outdated technology, like SMS or phone calls, is worse than not using MFA at all. SMS and regular telephony are both technology with outdated security. That's not surprising, when you realize that both are now decades old.

We could also argue that flawed MFA is better than nothing. For such arguments, the implementation details matter, so we won't go into it here.

App-based MFA is a win all around－canada.ca is now offering this

This month, the Government of Canada started offering app-based MFA. There is now no security trade-off to activating MFA on My Service Canada. MFA using authenticator apps meets modern standards: it's both convenient, and it keeps us much safer.

Why authenticator apps are a win

You may already be familiar with some form of MFA. HSBC, for example, offers a device that generates one-time passwords for customers to use in addition to their usual username-password credential. HSBC also gives you the option to generate those TOTPs using their mobile app.

MFA using TOTP generated by authenticator apps are even better. They are much more convenient than single-purpose devices or apps. MFA using TOTP generated by authenticator apps like Authy is based on a common standard (Sources: 3). Using this common standard brings your operation two major wins:

Publicly auditable common standards are typically better than proprietary methods when it comes to catching flaws and fixing them.
Common standards are better for interoperability: once you set up an MFA tool for your canada.ca accounts, you can use the same tool to add MFA to your Gmail, Gsuite, Trello, Asana, WealthBar, and anything else that supports this common standard.

Now that canada.ca offers this level of protection, it's worth taking the half hour needed to set it up completely.