Buckle up to be safe online

Two factor authentication

Two factor authentication is rapidly becoming the new norm when it comes to password protection and site security.

We all know that we should take better care of our online security. Many of us do a fairly poor job of making sure that we have long, complex and unique passwords for every online service; and security breaches leaking passwords are common.

Enter “two-factor authentication”, also known as “2FA”, “multi-factor authentication”, or “two-step verification”.

Two-factor authentication is an additional step you complete when logging into a site. It is based on the premise that your data is safest when you sign in with both something you know (your password) and something you have(your phone or a security key). 

CommArc Consulting security analyst Steve Brorens says the particular 2FA or MFA (MultiFactor Authentication) system you choose isn’t critical, as long as you choose one for each online service you login to – and for remote logins to your own systems if you’re a business owner.

With the increase in flexible working hours and locations and the ability to work from home, Brorens says it’s imperative that businesses invest in some sort of 2FA for accessing business systems.

“There may be cost of time and setup initially, but not having 2FA for your business is like driving without a seatbelt. Sure, you might not get in an accident, but if you do, the odds of surviving it are infinitely better if you’re strapped in. Similarly, the odds of becoming victim to a phishing campaign or your staff being hacked seem very remote, but if it happens, you’re going to wish you’d had something in place to protect you.

“This is because there are many ways in which passwords can be snatched, leaked or guessed,” Brorens says, “and if 2FA is not in place these can be immediately used to do Bad Things. With a second factor, in most cases, it’s next to impossible for the Bad Guy to actually do anything with the password.”

Most platforms now support 2FA, and while they can take a bit of time to set up, it’s worth the investment. They can use an app on your phone, a text message, a remote token or a list of codes that you carry around with you.

What’s best?

The premium option for 2FA is a physical USB security key, like Yubikey or Google’s Titan that you keep on your keyring. These use Universal 2nd Factor (U2F), where the login process is completed with the USB device and the press of a button.  The biggest disadvantage is the cost of the keys – about $60 each.

“Next best is One Time Password (OTP) systems using apps like Google Authenticator, Authy or Microsoft Authenticator on your phone,” says Brorens. These apps will require you to screenshot a QR code once when setting up 2FA, and then enter the (usually) six-digit code it randomly generates each time you log in. 

Brorens says the simplest systems are those that “dial back” to your phone when you log in – either prompting you to press a specific key, or texting you a code to complete the login process. While slightly less secure than security keys, these are still a massive step up from nothing – and are very simple to setup and use. 

Whichever system is chosen, two-factor authentication is the new norm for passwords, says Brorens.

“The issue is that if all you have for protection is the secrecy of the password, we can’t protect you if that is compromised.”  

“It might seem simple to “not allow someone pretending to be Steve to login from China at 3am”but what if you need to go there? It gets far too tricky to set up such rules.”

While the advent of facial and fingerprint recognition is the next stage in personal online security, until it’s widespread (and the bugs have been ironed out), if you’re going serious about keeping your data safe on the interwebs, you’re going to need some form of two-factor authentication. 

Useful links

The New Zealand Government CERT website has a good overview page at: https://www.cert.govt.nz/businesses-and-individuals/guides/keeping-yourself-safe-secure-online/two-factor-authentication/

They also have a specific page for businesses at: https://www.cert.govt.nz/businesses-and-individuals/guides/cyber-security-your-business/two-factor-authentication-as-a-security-tool-for-business/

If you have questions about how to properly protect your business systems or want more information about what’s available in 2FA technology for your company, contact one of the Account Management team at CommArc today.