What is Two-Factor Authentication? The Tip of the Security Spear
The average American is inundated with passwords. Requirements for new passwords, login failure notifications when they forget their password, and in some unfortunate cases, alerts that their information has been compromised and all NEW passwords will be necessary.
More on compromised data in a bit. But seriously, is it any wonder that password hygiene for most of us is so bad? According to some estimates, the average American has around 200 accounts that require a password to access.
The same report noted that around two-thirds of us will re-use the same password or a small variation on a password for multiple services. This is all a long way of saying that given the motivation, it would not be difficult for a hacker to crack a password and gain access to millions of pieces of valuable data.
So, what’s to be done? How can the modern office environment improve their operational strategy to help bolster the security of data and help employees brush up on better cybersecurity strategies?
One primary method that is simple and often overlooked is two-factor authentication.
What is Two-Factor Authentication?
We’re glad you asked!
The University of Maryland and Johns Hopkins University conducted a survey which reported that around 30 percent of people have never used two-factor authentication on their smart devices.
But it’s not because these individuals like to throw caution into the wind - around 64% of the respondents of the survey had never heard about two-factor authentication (2FA) or had never been prompted to use it.
Simply put, two-factor authentication is an extra layer of security put in place to access online platforms or devices. Typically, the first layer of security is the traditional password made up of numbers and letters. As we noted above, the traditional password is fairly easy to bypass for motivated bad actors.
In 2FA, another layer of security is enabled in order for the user to gain access to the system. Most systems will require additional input related to one of the following:
Some item possessed by the appropriate user, like a peripheral with a unique key code generator
A physical part of the body of the appropriate user, like a biometric scanner
A location-based factor which identifies that area from which an access/authentication attempt is being made. IP addresses or other geolocation information can be used
If you’ve ever seen Mission: Impossible it’s similar to someone speaking a password, then requiring a fingerprint scanner in order to gain access (with fewer explosions and espionage).
Types of 2FA Tokens
The second layer of the 2FA system can be a variety of access modalities, depending on the type of business and the level of need. Perhaps one of the most common types of 2nd layer are physical tokens.
These devices are small, like a key fob and produce a unique numeric code every few minutes. After the initial request to access a certain set of data is received, the system requires a second authentication which corresponds to the code displayed on the fob.
This can be a costly method of 2FA, depending on the size of the business. Also, like creating passwords, humans are prone to errors and leaving fobs behind at restaurants and bars is not unheard-of.
SMS and Smartphone Solutions
A popular secondary authentication method like a text message can be less expensive and faster to implement. An SMS-message sends a password, or an automated call provides a verbal code for the user.
Other Authentication Methods
Software tokens are becoming more popular which provides additional flexibility for those without reliable cell phone service - secure logins are possible just about anywhere with an internet connection. This presents some of the same challenges as traditional password phishing, however, if a bad actor obtains the ability to gain access to a user’s desktop.
Biometric 2FA methods, like fingerprint scanning, facial recognition, or retina scanning options are also becoming more widely used for businesses that place a higher emphasis on security. Banks, healthcare companies, and other financial institutions are among businesses that are investing in biometric 2FA methods. Not as exciting as Mission: Impossible, but very important for the security of their customer data.
Security Concerns with 2FA
Let’s be brutally honest for a moment - the average cybercriminal is more opportunistic than malevolent. Mix-in the facts that most Americans have poor password hygiene and are uninformed about best-practices in cybersecurity and you can see how this can be a recipe for disaster.
A recent article on CNN reported that ‘123456’ is still the most common password belonging to accounts worldwide. Approximately 23.2 million accounts bucked the trend by adding “-789” to the end of the password string.
Other commonly used passwords that made the list this year may not surprise anyone reading. They include:
For many businesses, the inclusion of 2FA is enough to help protect their data and improve internal security measures ten-fold.
If you manage a department or work for a company that has been slow to adopt two-factor authentication, don’t worry. There’s never been a better time to leverage tools or services that can help make two-factor authentication a reality for the organization.
How to Get Started
We’ll get into more advanced methods of implementing 2FA in a moment, but here’s a helpful hint - you can “test drive” how this works right now for free. Common cloud networks like Gmail, iCloud and other social media platforms allow users to turn on 2FA (aka - 2-step verification).
Most have these features available under ‘Settings’ and then ‘Security’. The user simply attaches a cell phone number to the account so they will be alerted by cell phone any time a login attempt is made.
Vendors and Tools
A cell phone might work for personal accounts like social media, getting serious about 2FA for a business involves more planning and strategy. Advancements in the security space mean more options are available to businesses than ever before.
The paradox of choice can make simple decisions more complicated than they need to be, especially if key decision-makers don’t happen to also be cybersecurity experts. Reading reviews from users of security software should be incorporated into the research phase. These reviews tell a story that no amount of glowing website prose ever could.
Aggregators like G2’s Cloud Security Software dashboard help connect the dots between what an organization thinks they need and what they would actually benefit the most from.
The business world is in a unique position right now from the standpoint of cybersecurity.
While headlines about large-scale data breaches seem to dominate headlines, regulatory agencies haven’t been completely clear about the rules and regulations for data stewardship across all industries. It’s clear that businesses that collect and store customer data still need to be proactive about improving their security.
It’s a bit strange - a pet store, for example, doesn’t have the same guidelines for storing and accessing data as another business. But it does make sense, confidential medical records should be backed up in HIPAA compliant data centers.
In these situations, it may be more cost-effective for a business to leverage the infrastructure of a managed service provider (MSP) with the necessary certifications in place rather than investing in upgrading their existing technology.
In fact, any provider servicing tightly regulated industries, like healthcare, are obligated to have more than just 2FA as a security measure in place. For example, a HIPAA compliant MSP requires several layers of protection:
There are two specific criteria that relate to data backups and data retention within HIPAA legislation. These are referred to as the Data Backup Plan and Retention Period. Each of these criteria contain several physical, technical and administrative safeguards which must be in place for an MSP to qualify as HIPAA compliant. These safeguards relate to what type of data is stored, how data is stored or transferred, and how long data is retained for.
Should 2FA be Required?
Getting ahead of possible security regulations helps convey a message to customers that a business is serious about privacy.
But perhaps equally as important is avoiding penalties for businesses that fail to adequately protect customer data. It’s difficult to see a scenario where more security is a bad thing, but as of right now 2FA is not a requirement for all businesses.
Some enterprise companies are leading the charge in this area, like Microsoft, which announced over the summer that all their Cloud Solution Providers (CSPs) which help businesses manage Office365 accounts will be required to use multi-factor authentication.
The change comes in the wake of a major breach at PCM Inc., one of the largest CSP’s in the world:
This is exactly what happened with a company whose email systems were rifled through by intruders who broke into PCM Inc., the world’s sixth-largest CSP. The firm had partnered with PCM because doing so was far cheaper than simply purchasing licenses directly from Microsoft, but its security team was unaware that a PCM employee or contractor maintained full access to all of their employees ‘email and documents in Office365.
As it happened, the PCM employee was not using multi-factor authentication. And when that PCM employee’s account got hacked, so too did many other PCM customers.