After last year’s record-setting rate of cybercrime and data breaches, login security is becoming more and more critical for every business. However, not many business owners or key decision makers know the difference between using a single-sign on password approach and more secure multifactor authentication methods. While it’s not possible to stop all breaches, this type of cyber protection is critical to helping your data and other sensitive information remain as secure as possible.
According to Verizon’s 2018 Data Breach Investigations Report executive summary, 81% of the studied “hacking-related breaches leveraged either stolen and/or weak passwords.” The information is based on “more than 40,000 incidents and almost 2,000 breaches.” This report also recommends utilizing 2FA as one of the top methods to mitigate cyber attacks.
Two factor authentication (2FA), or what’s also known as dual factor authentication (DFA) or 2-step verification, is a security protocol that adds an extra layer of security to any basic virtual platform. It requires two methods (or “factors”) of identity verification that confirm you are who you say you are. According to the National Institute of Standards and Technology Applied Cybersecurity Division, the two factors can include a variety of information that typically falls into three categories:
- “Something you know,” such as a username, password, pin, favorite memory, or phrase
- “Something you have,” like a mobile phone, generated code, or mobile app; or
- “Something you are,” meaning some sort of biometric identifier like your face, a retina scan, or fingerprint.
So how can you ensure your business is prepared to face future cybersecurity threats? By using cybersecurity best practices and having strong risk management strategies in place, including the use of two factor authentication.
Implementing 2FA in Your Business
Depending on your needs and security preferences, there are multiple ways to protect your data via two factor authentication.
- One Time SMS Text Message: While this may be one of the most commonly used forms of 2FA, that does not necessarily mean it’s the best or most secure method. The message containing your temporary code can be intercepted in-transit, and being able to successfully use the code also requires having immediate access to your mobile device and reliable cell service to receive messages.
Another similar method involves sending one of these dynamically generated codes via email instead of SMS. This delivery format also raises concerns because email accounts can be hacked and emails can be intercepted in transit as well.
- Time-Based One Time Password or Code: A time-based one time password (TOTP) or one time code (OTC) are other methods that are more secure than the standard password but is still not necessarily the strongest. Much like the SMS text, the idea here is that you’ll be the only one to know the code. However, also in the same vein as the SMS text message security concerns, it also means that the information can potentially be intercepted.
- A Hardware Token or Universal 2nd Factor: Having a physical token or a form of Universal 2nd factor (U2F) takes the “something you have” requirement to a whole new level. This method, which is considered one of the most secure options, requires that you have a token on your person. What could be viewed as a potential drawback to this method, however, is that it has limited applications because it’s not commonly used by many services.
- Mobile App Authorization: A number of companies and services have started to opt to use some form of mobile authenticator application. Duo Mobile, Google Authenticator, and Twilio Authy are just a few examples of this type of 2FA mobile security app.
Blizzard Entertainment’s Blizzard Mobile Authenticator is one example of a company that has been using one such app for several years. When the end user tries to log in to the online gaming service, it generates a code that the user must then match in their mobile app to confirm their identity and authorize access.
Make 2FA a Part of Your Basic Security Requirement
We are long past the time when two factor authentication should be considered an additional layer of protection. In today’s increasingly virtual world, 2FA should be used whenever and wherever possible - by websites, applications, email, and any other virtual portal across all industries.
Two factor authentication used to be used primarily to safeguard financial transactions. However, the use of this measure is slowly spreading across industries. In 2016, the White House announced the launch of the “Lock Down Your Login” public awareness campaign in collaboration with the National Cyber Security Alliance. You can check to see if your website or other sites that you use support 2FA.
How to Make Your 2FA Protocol More Effective
A mistake that some companies make is that they “set and forget” their two factor authentication protocols. By setting this information and not bothering with it again, you risk leaving your systems (and their valuable data) vulnerable to cyber attacks.
Some of our top tips for providing solid two factor authentication include:
- Keeping your servers and employee computers up to date through patches and upgrades
- Implementing an alert system that notifies you of any unauthorized access attempts
- Protecting personal devices with 2FA
While 2FA isn’t the only security weapon your business should have in its arsenal, we believe it's really a foundational item and should be a key component protecting every network. In order to truly know what protection you have in place for your network, consider implementing a network health assessment to take your business’s virtual “temperature” to determine the health of your business’s online security.
How does your company or organization use two factor authentication methods to protect your clients’ data and your other sensitive information? Share your experiences in the comments box below or shoot me an email if you’d like to chat about this in more detail.