Two-Factor Authentication: A Necessary Security Layer
Do you need to implement 2FA for your business?
With news everywhere of data breaches and hacking, online security has become a priority today. 2FA, or two-factor authentication, is one well-established method of proving users’ identities. This process is a secondary required security feature after a user has provided his/her password in order to access a system or software.
But how would this relate to you as a business owner?
As a company, it is unacceptable to allow unauthorized individuals to gain access to our data that we all have guaranteed our clients and stakeholders to secure and protect. Specifically, we’re referring to websites and those software-as-a-service applications that require user logins.
In this article, we’d like to emphasize how important adding 2FA as another necessary security layer to your websites and online business applications.
So if you are providing solutions and have not yet implemented 2FA for your clients, perhaps this is the right time for you to do so. Furthermore, if you implemented publicly accessible applications for your business, you should have this also.
What is this two-factor authentication method?
It’s a type of multi-factor authentication based on the premise that an unauthorized user is unlikely able to supply evidences required to grant access by using a combination of two different factors.
Check out these examples of how 2FA is implemented:
- Withdrawing money from an ATM. The machine allows the user to carry out the transaction only with the right combination of an EMV bank card and a PIN.
- Logging into Facebook using a new device. Once you enter your account credentials, a code generated is sent via SMS and received by Facebook’s recognized device. Afterwards, the user proceeds to supply the code for the new device to be accepted and registered.
Possibilities during unauthorized access when you run your business
Unlikely to happen to your business?
Think again. According to Verizon Data Breach Investigations Report (DBIR), hacked or weak passwords cause 81% of breaches within the last three (3) years.
For instance, when a bad person steals your credentials and data, he could possibly:
- Lock you out of your account.
- Steal your identity.
- View your files and photos
- Freely steal your money and valuable information.
- Reset your other accounts, etc.
With using only a single factor to identify your user, the risk for a breach is high.
Four categories of factors considered in 2FA that business owners need to know
The two-factor authentication scheme can use any of the following evidences (factors) to establish sufficient certainty of the identity of the user before allowing access:
- Knowledge (something only the user knows)
- Secret questions
- Possession (physical object only the user has)
- Hardware in the possession of the user, such as a USB stick with a secret token, an EMV bank card, a key, etc.
- Smartphones with software authenticators
- Inherence (physical characteristics that only the user possess)
- Biometrics such as a fingerprint, iris and voice recognition, typing speed, facial ID, etc.
- Location-based (real-time geographic coordinates to where the user is located)
- Mobile network and GPS data to pinpoint location.
Updates in two-factor authentication usage
Namely, here are some global facts about this method that you need to know:
- A group of contributors has created a website with a list of companies that implement 2FA.
- Top sites that implemented 2FA are Dropbox, Facebook, Google, Twitter, Wells Fargo, Bank of America, and Stripe.
- As of 2018, SMS is the most broadly-adopted 2FA authentication method for most consumer-facing accounts. Despite its popularity, it has faced a lot of criticisms.
Common Implementations of Two-Factor Authentication and drawbacks
Once you’ve considered to implement this security method, let’s check out what other businesses have used already and some of the feedback that they’ve provided:
Mobile Phone 2FA (QR code-based authentication, Push-based authentication, One-Time Password authentication (OTP), and SMS-based verification)
- Drawback: Hackers can clone phone SIMs and intercept text messages if phones get stolen. Sometimes, mobile networks delay text messages which cause authentication sessions to expire prematurely.
- Drawback: Users need data and internet access to validate. Reportedly, many users lose phones everyday.
Software Token 2FA (Google Authenticator, Twilio Authy, Duo Mobile, and LastPass Authenticator)
- Drawback: Switching of smartphones require you to reconfigure and use other authentication methods for validation.
Hardware Token 2FA (USB stick, the EMV bank card, etc.)
- Drawback: Users need to carry them practically at all times. Likewise, the system locks out even authorized users in case of theft. Furthermore, many organizations also forbid carrying USB to avoid data breaches.
Conclusively, everyone is concerned about security and data protection. Two-factor authentication is still one of the best ways so far to add an extra layer of security to any consumer-facing account.
However, you will need a proper security assessment of your existing tech and processes. The assessment must fit to your available resources and what’s best for your business. If you’re not quite certain on how to go about it, we recommend that you consult a team of security professionals for assistance.
At the end of the day, businesses can combine different factors of authentication methods, further minimizing the risk of compromised accounts. But they need to plan first how the company can move forward to implement 2FA.