Two factor authentication is an additional check to make sure a user is who they say they are before they are permitted to log in to an account. Either a user can set up 2-FA to protect their accounts, or two factor authentication is enforced by a company as a condition of using their platform.
In practice, two factor authentication might involve entering a one-time passcode – generated on a phone – or providing a secret code sent over SMS.
These checks further prove the employee’s identity because a hacker would need to have access to their phone to provide these codes. Furthermore, knowing a user’s password gets them no closer to controlling a user’s phone, so this type of 2-FA is a completely separate proof of identity.
As an internet user in the 21st century, we are going to assume this isn’t your first run-in with two factor authentication. It is the new standard for internet security. In recent years, popular apps such as Gmail, WordPress, Amazon, Apple, eBay, GitHub, MongoDB, MyGov, and so many more, have adopted two-factor authentication.
If you are curious, Two Factor Auth List has a list of thousands of sites that have enabled 2-FA.
The security-conscious user can now enable two factor authentication to protect their Facebook, Twitter, Instagram or other social media accounts. Banks were another early adopter of two factor authentication. They have been sending SMSs with secret code to further authenticate users for years now.
Why Businesses Need Two Factor Authentication
At times, two factor authentication can be really annoying. When a phone has a flat battery or you’ve changed sims, 2-FA just gets in the way. In an perfect world, there would be no 2-FA. And you’d be able to log into all your accounts with just a username.
Unfortunately, your accounts are valuable and hackers want to steal from you. With a decent understanding of OPSEC, anyone can be completely anonymous online. Two factor authentication is vital for protecting your accounts and more importantly your business. The reason is a simple one, the trusty username and password combination isn’t secure. It’s undeniable that this combination is the backbone of online authentication, passwords are simple and to the point. They are easy for developers to implement, and users are familiar with them. All pros right? Unfortunately no, passwords are unqualified and unprepared for the cyber security threats of the modern internet.
1. Two Factor Authentication Reinforces Passwords
A password and a username is already a factor of authentication. Think of this combination as the first factor and every subsequent factor as an additional layer of security. A hacker can know your password, but if they try to log-in without the second factor of authentication their attack is dead in the water.
How Do Hackers Steal Passwords?
Let’s pause for a second and try to answer a question you might never have asked, what exactly is a password?
If you consult the textbooks they will tell you that a password is the most basic implementation of a shared secret.
That really opens up more questions than it answers. What is this secret and who is it shared with? Well, when you create a new account on a website or an app, your credentials are stored in that app’s database. They do this so that the website can remember who you are for the next time you try to log in.
Do you see the problem? People reuses credentials, and every single account you’ve ever created has a copy of your username and password stored in a database. As a result, you essentially trust that company to protect your credentials. Nowadays, we create a lot of accounts. Multiply that risk, by all the employees in your organisation, to truly grasp the scope of the problem.
Clever companies store encrypted versions of their user’s username and passwords. When a hacker steals an encrypted password, there is no technology on earth that can reverse the encryption to uncover the original string of characters from the cipher text they stole. If you manage it, be sure to collect your Noble prize in Mathematics.
If everyone encrypted their stored passwords it would completely eliminate the worldwide problem of hacked password databases. Surprisingly, very few companies will extend you the courtesy of encrypting your username and password.
2 Hacked Passwords are Feed to Bots for Credential Stuffing
The internet is full of bots. Some bots come in peace, others shoot to kill. Malicious bots tirelessly stuff stolen credentials all over the internet, until finally they get a match. Credential stuffing operations have been aimed at company’s WordPress sites, cloud storage solutions, and Google accounts. Credential stuffing is a constant threat to all your third-party applications. Any publicly accessible endpoint is a risk. An endpoint is any location at a domain or even a device.
Remember, your business’s passwords are only as secure as the weakest database they are stored in. Not that you would, but you can buy credential stuffing software on the deep web. We live in a time where fraud starter kits sold as a service listed right alongside the stolen credentials hackers need to start using them. It is criminally easy. You just deposit your cryptocurrency into escrow, and everything is delivered instantly. Next, how about a complete anonymity kit. It’s all so cheap too. Credential stuffing software rarely goes for more than $50.
Do you trust every employee in your company to use a new password every time they create a new account? That’s the level of naivety required to forgo two factor authentication, or multifactor authentication.
Botnets Give a Hacker Unlimited Attempts at Guessing a Password
Botnets obfuscate login attempts from servers. For credential stuffing software to work, hackers repetitively spam login forms. Hundreds of login attempts made in a short time frame is obviously malicious traffic. Clever people program servers to recognise these types of attacks.
A botnet adds another layer of complexity to the attack. They do this by, making traffic look like it’s coming from hundreds of IP addresses instead of a single program. Right now, there are massive botnets roaming the internet searching for any vulnerability they can find.
Two factor authentication to the rescue. We aren’t exaggerating when we say that two factor authentication practically eliminates the risk of guessable, hacked, stuffed and recycled credentials. Something as simple as a SMS message or confirmation email will stop most attacks.
3. How To Choose a Second Factor of Authentication
Best practice for two factor authentication is to make sure your second factor of authentication is a different type of authentication to the first. Confused? Don’t be. It’s really quite simple. There are three main types of authentication.
If your first factor is a password -something you know- it’s better to have your second factor depend on proving ownership of a device or using a thumbprint. Doubling up on factors, while beneficial, doesn’t offer the same security guarantees. If a hacker has control of your device, then it’s conceivable that they have access to more of your stuff. If a hacker can guess your password, it’s likely that they can guess your security questions or username too.
Two Factor Authentication Suggestions:
- SMS codes
- App generated codes (Google Authenticator, Authy, Microsoft Authenticator )
- Chrome Extensions
- Confirmation Emails
- Hardware (Security Tokens)
- Security Questions
4. Two Factor Authentication is Supported and Adopted
A good reason to use two factor authentication is that people already understand it. Unlike other cyber security measures, there is no learning curve for the end-user. What’s more, the tech is there to support using 2-FA in your business. Phones can act as security tokens and generate one time passwords, or receive SMSs with secret code. When running a business, the best cyber security solution is something that’s quick and painless to get off the ground. Two factor authentication ticks all those boxes.
The smartphone will likely play a greater role in future 2-FA as newer devices have fingerprint and face scanners built in to them.
Furthermore, software offerings like LastPass can handle two factor authentication in the browser and Google’s social sign-in can ask users to complete two factor authentication before sending OAuth tokens.
Before investing in another software product to secure your enterprise, with 2-FA, make sure that you don’t already have two factor authentication. Microsoft Azure Active Directory Premium or Microsoft 365 Business both use two factor authentication. You enable it as a conditional Access policy. Google’s Gsuite also has two factor authentication. An easy way to spread the coverage of your 2-FA is to set up federated identity, essentially this means your Google or Microsoft sign-in is enforced and honoured by your third-party applications.
5. Two Factor Authentication Protects Against Dark Web Password Dumps
The dark web has enabled greater cooperation and specialisation for cyber criminals.
Now stolen credentials are a commodity that can be traded in bulk. Since there is an established market for them, one criminal group can focus just on stealing passwords and selling them wholesale. Then another criminal group can specialise in refining these passwords into money through one exploit or another.
You should assume that employee passwords will be stolen. If not from your database then from somewhere else. The deep web will likely never die. This is the world we live in now. You need to take measures such as two factor authentication to protect your business.
6. Two Factor Authentication Protects Against Phishing
The average cost of a phishing attack for mid-size companies is
$1.6 million – dashlane
Phishing is an attack where a hacker sends a deceptive email that tricks employees into typing their password into a dummy form. The credentials they enter are then sent to the hacker.
Imagine, a hacker pretends to the CEO of a company. They send a fake Google Calendar invite to a targeted group within the company. The email is a clone, and it looks identical to a hundred other invites they have received before. The employees don’t give it a second thought. The enter their login details and click accept without a second thought.
Two factor authentication protects your business from phishing. Imagine how hard it is for a hackers to phish a phone or bio-metric data like a fingerprint. These can be stolen locally, but you would need to be harbouring state secrets before your company is likely to face that level of attack. If you are concerned about stolen mobile devices, device management software can be installed on a phone so that admins can lock it or erase all the data.
It is far more likely that an employee enters their username and password into a fake application or email attachment than they have a device stolen.
7. Require Two Factor Authentication For High-risk Activities
Two factor authentication isn’t just for log-in events. Every business has high-risk activities that a hacker absolutely should not be able to perform.
- Sending money
- Accessing resources
- Changing passwords
- Linking new accounts
- Installing software
An advanced use case for two factor authentication is requiring it in response to suspicious user behaviour. Ever logged in from a new device and had to enter a 2-FA code? How about travelled overseas, and been massively inconvenienced by a SMS code you can’t receive because your IP address shows you are in another country.
Two factor authentication can make sure that managers, HR staff, whoever, are not only aware that what they are doing is a high-risk activity, but that they have the authorisation to send the funds. Two factor authentication discourages negative cyber security and business practises.
These kinds of preventive measures protect your business from external hackers but also from disgruntled employees and opportunistic crimes.
8. Two Factor Authentication Can Warn your Employees When Their Password is Compromised
It’s very difficult to tell when someone has a copy of your password. Placing 2-FA on an account can be the heads up you need that a leak has occurred. If out of the blue, employees get security codes for logins never requested, it’s probably time to evaluate your cyber security.
Ideally, your endpoint management software records login events so that someone can follow up on this suspicious login event. Furthermore, it could be a good idea to pen a strategy that outlines steps to find the cause of the leak after a suspicious login notification. Definitely have that employee change their password. Another good idea is to generate a strong password rather than letting them choose another one. They can write it down and keep it somewhere safe until they have remembered it.
9. Third Party-Logins
A lot of third party apps and services will allow you to login with a Facebook or Google account. The vulnerability here is an obvious one. If the attacker has control of these accounts, then they can gain additional access with them and circumnavigate two factor authentication. In a business setting it’s unlikely that you have Facebook login enabled but Google login is very common.
Luckily, two factor authentication protects Google accounts. By mandating 2-FA on business accounts, and you turn a weakness into a strength. Now employees can use their Google accounts to sign into everything. In addition, this is great for preventing password recycling and your accounts are protected by one of the most well designed sign ins in on the internet.
Final Thoughts on Two Factor Authentication
Use it!! We know that it can be a pain, but it’s a simple yet incredibly effective way to secure logins. Pretty much the only chance hackers have of breaking into your accounts protected by two factor authentication is stealing an employee’s phone or intercepting their SMS messages. You make their lives very, very difficult and localise the threat. A password can be stolen from anywhere. To overcome a – something you have – factor of authentication the attacker needs to be local, which significantly reduces the threat.
If you have any questions about two factor authentication and how it can protect your business contact Stanfield IT today.