Tuesday, 25 June 2019

Doubling up: why two-factor authentication is your next step in digital security

As we continue to do even more online, the safety of our digital information has become as important as locking our front door.

We’ve written about the need for additional layers of security for passwords, especially given the increased targeting of Microsoft’s Office 365 as more and more businesses and individuals migrate to the cloud, especially for email.

Your email address is the golden goose for anyone trying to compromise you or your data because not only does it set up the chance to impersonate you, it’s where you get to reset your passwords for most other things which could lead to all sorts of trouble.

As we continue to do even more online, the safety of our digital information has become as important as locking our front door. With all companies at seemingly equal risk of being targeted by cyber-attacks or data leaks, we are collectively doing more to protect our online information, both at work and at home.

So, if you want to add a way to protect your data even further, then it may well be time to enable two-factor authentication – also called two-step verification, or 2FA. Although this technology was introduced into many of our online banking processes some time ago, the idea of an extra security check has gone from an inconvenient nuisance (remembering to carry around your card-reader) to absolutely essential.

Due in equal parts to our growing reliance on personal technology, the integration of our work and personal devices and high-profile media stories showing just how easy cracking passwords can be, we are now even more focused on making sure our own data is not compromised.

Two-factor authentication is certainly not fail-safe, but it is an additional and comprehensive step to secure your work and personal accounts more thoroughly – even if someone finds out your password.

So, what exactly is two-factor authentication?

2FA is a term for any additional stopping point, to authenticate that the right person is accessing something otherwise password protected.

We are all aware that passwords can be compromised. So, along with making them longer, more complicated and periodically changing them - it also makes sense to add another ‘checkpoint’ when you log in, based on a different suite of information only you have access to.

When should you use 2FA?

Personal use

Although 2FA may often be associated with business accounts, it’s just as important to use them for your personal accounts. Simply put: this is your information, money and data at stake!

Two - factor authentication will notify you if anyone does get hold of your password, giving you quick opportunity to change it.

In the past you may not have become aware of, for example, a compromised email account unless friends or colleagues notified you that you appeared to be sending out junk mail.

In the workplace

2FA in the workplace is ideal for offices who use hot-desking, for those in job shares, if you work on a front desk, co-working space, or anywhere you are using sensitive accounts on any computer you share with another person.

As 2FA helps to distinguish legitimate users logging into accounts from potential cybercriminals, when allowing access to a system externally, a company puts themselves at risk of being targeted. However, as remote access and mobile work habits are now a lot more common, companies do have to get smarter with monitoring who is logging on.

2FA options

• Verification option one - something you know.

Passwords as security are based on something that only one user is privy to. This can be alpha or numeric, a PIN number or the answer to a secret question. This initial verification uses the same 'suite' of authentication methods and can ultimately be bypassed in much the same way. Therein lies the problem, as we know that passwords can be broken, so PINS and secret questions can be too.

• Verification option two - something you have.

2FA is a second layer of security, based on something that you have access to physically - it's a completely different method of verifying your identity.

This could be an email, iMessage, WhatsApp or SMS alert which is then sent to a pre-approved device. However, something you have can also mean anything physical, extending to a token, a SIM, USB key, or even a card reader, key fob or physical ID card.

The Smartphone has enhanced the 2FA process, as it requires the user to carry no additional equipment. Because we use our phones for everything, this second step can be accessed anytime

This form of 2fa is the most convenient and the type we would recommend.

When enabling 2FA, you will typically receive a message showing a single-use code, which you are required to input into the account you’re accessing. If the code is correct, you are only then able to access your information. Success!

The codes are randomly generated and expire after a few minutes, depending on the software; so they can't be stored or used again.

• Verification option three: something you are.

The third step in digital security gets even more personal. Most recently, biometric identification like Touch ID has made this technology more readily accessible; however, biometric ID can include anything ranging from a handwriting sample to a retina scan.

The beauty of biometric information is that it is harder – but not impossible – to hack, although one of the downsides in creating and implementing a biometric system in your workplace, is that designing your own is very expensive!

For those with smartphones who have access to this technology, however, it adds an additional dimension to verify that you are who you say you are.

What can you use 2FA on?

Apart from ensuring you have it on all important business accounts, you can use it on many website and applications which you use in your personal life.

And it’s just as important that you do.

Social engineering now plays a major part in cyber crime and social media accounts frequently hold a lot of useful information that can be used to build a bigger picture in a target attack.

Apps like Twitter, Instagram and Facebook all allow you to communicate directly with everyone in your life. So, make sure your social is secure, as unsolicited posts and photos can lead reputation damage, embarrassment, or cause real offence.

There’s also a serious financial risk.

2FA is the best way of stopping unsolicited posts or pictures being posted without your knowledge, as even if a hacker has your password, they will need that additional layer of access to get into your account.

Not sure if an app or service uses two-factor authentication? Visit https://twofactorauth.org and search to find out where you can enable 2FA in your digital life.

By enabling 2FA, along with solid upkeep of your regular security processes, you will have a far better chance in successfully securing your personal and workplace accounts. By no means bullet proof, 2FA is still a great tool to use within your information security best practices.

The Security Team at Grant McGregor highly recommend the adoption of at least one additional layer of security to your Office 365 accounts and have a variety of options regarding the deployment of the 2FA feature. Some involve a monthly subscription fee, some are free after a modest set-up cost.

The options are also flexible so the same app can be used for pretty much all your online accounts that support 2FA.

For more information, help or advice, please contact the Grant McGregor team on 0808 164 4142 or we can contact you if you leave us your details.


Image credit: EFF Photos 2FA-2017 via Flickr