Two-factor authentication (2FA) is an enhanced security measure that requires users to provide two separate forms of verification when accessing resources on a network. Beyond just entering a username and password, 2FA typically involves an additional step, such as a code sent to a mobile device or a biometric scan, providing an extra layer of protection. This approach significantly reduces the risk of unauthorized access and data breaches.
How Does 2FA Work?
When users attempt to log in to a cloud-based or on-premise network – either as part of their job, or when using consumer software such as banking apps and ecommerce platforms – 2FA requires them to verify two pieces of information, also known as ‘factors’, from the below categories:
- ‘Knowledge’ factor – something the user knows, most commonly a password or PIN number. Knowledge factors are also known as ‘secrets’.
- ‘Possession’ factor – something the user owns or has access to, such as a mobile phone authenticator app, a physical device (ID card, key fob) or a token.
- ‘Biometric’ factor – this is anything that can identify the user as being themselves through biological information such as fingerprints, speech patterns or iris patterns.
- Timed factor – restricts login attempts to a specified time period.
- ‘Location’ factor – where the authentication attempt originated from, verified by methods such as IP addresses or GPS information obtained from a laptop or mobile phone.
IT administrators can specify which of the above factors are required, prior to a user being granted access to a network. In general, most 2FA platforms ask for the first three – location and timed factors are usually reserved for internal IT networks and remote working policies.
2FA vs. Standalone Passwords
2FA is deployed with the sole purpose of preventing unauthorized access to a computer or network system. If your organization is content with relying solely on a username and password to authenticate users, you need to revaluate your security procedures. The logistic considerations are insignificant next to the prospect of a data breach. Companies who fail to enact robust 2FA authentication procedures run the risk of exposing their IT infrastructure and financial assets to cyber criminals looking to exploit lax security protocols.
Passwords, when used in isolation, are markedly less secure than requiring several methods of authentication. Usernames are relatively easy to guess, and follow a standard ‘firstname.surname’ or email address format. Passwords should, in theory, be a lot harder to crack, but in practice there are several methods that cybercriminals use to take advantage of unsecured login information.
Password Complexity
Passwords should be of an appropriate length (usually a minimum of 8 characters) and contain a complex string of alphanumeric information, including uppercase and lowercase letters, and special characters.
Users often forego standard practice and use the same password across multiple private and public platforms. This can cause data breaches to escalate from relatively minor intrusions involving personal email accounts, to large scale instances of corporate theft, using the same password information across multiple platforms.
Social Engineering
Hackers use all manner of methods to gain access to a user’s password, including ‘social engineering’, whereby users are contacted directly by cyber criminals posing as someone else (such as a manager at work or a member of a law enforcement agency), and fooled into handing over passwords and sensitive information.
Password Cracking
Passwords are essentially small pieces of data, and as such can be disassembled or accessed just like any other string of data, albeit in a much more complicated way. Hackers use highly specialized, sophisticated software to gain direct access to a user’s password.
Poor Off-Boarding Procedures
When employees leave your organization, it is essential that they do not retain access to your IT assets. All too often, companies fail to change a former employee’s password, which can lead to all manner of problems, not limited to IP theft, data breaches and reputational damage.
By requiring multiple forms of verification, such as linking a user’s account to an official authentication app (‘possession’ factor), firms are ensuring that disgruntled employees are provided with the fewest number of opportunities to cause havoc.
High-Profile Hacks
2FA plays an integral role in securing personal and commercial information in the era of high-profile corporate data breaches.
When a user logs into an online service, the information they enter – everything from usernames and passwords to personal information – is stored by the website. User’s have no control over how this information is kept secure by third party companies and place their trust in multinational organizations to enact robust security protocols to keep it out of the hands of opportunistic criminals.
LinkedIn Data Breach
It’s not all about password security. A hacker by the name of ‘God User’ exploited a security vulnerability in the professional networking site, LinkedIn, and stole the personal information of its user base (approximately 700 million users) in what is widely regarded as one of the biggest website hacks of all time.
While the breach did not include passwords, it contained the following information:
- Email addresses
- Phone numbers
- Geolocation records
- Genders
- Social media details
All this information can be used to guess or reset passwords across various different online platforms. Unless those platforms utilize 2FA to secure accounts, the potential for additional breaches is enormous.
An Essential Tool for the Digital Age
Enacting 2FA is the minimum that organizations can do to secure their data and protect the identity of their employees and customers. It is no longer sufficient to rely on usernames and passwords alone.
If your organization doesn’t already use 2FA, consult with your teams immediately on how best to implement it. The technology has been around for over a decade and IT staff are broadly familiar with its requirements.
