Does your company use two-factor authentication – or 2FA – to ensure that only authorized users can access sensitive data? If you’re not already familiar with this essential security measure, now is a great time to learn about it and implement it.
In honor of National Cybersecurity Awareness Month (NCASM), here are the answers to some of the main questions you might have about what two-factor authentication is, how it works, and why it’s an IT security solution every business should have in place to minimize data breach risk levels.
What is two-factor authentication and how does it work?
Essentially, 2FA uses two different pieces of information (aside from the username) to verify that a user actually is who they say they are before they’re allowed to access an account or system, according to the CSO article “2fa explained: How to enable it and how it works.”
Most of us are familiar with single-factor authentication, which just requires you to input your username and a password. With two-factor, you must provide something in addition to your password to log in. Many 2FA solutions these days involve a code or approval prompt accessed via your smartphone, since that’s something many of us have on us at almost all times these days.
Why should I use two-factor authentication?
Two-factor authentication adds an extra layer of security. Even if your users pick strong passwords, change them regularly and don’t use them across multiple accounts, credential theft (e.g., through phishing scams) has become common. Twenty-nine percent of data breaches involve stolen credentials, according to Verizon’s 2019 Data Breach Investigations Report.
Passwords alone simply aren’t secure enough anymore. Two-factor, however, can potentially stop cybersecurity threats in their tracks. Research released by Google earlier this year found that an SMS code sent to a user’s phone blocked 100 percent of automated bots, 96 percent of bulk phishing attacks, and 76 percent of targeted attacks. On-device prompts – a more secure 2FA alternative to SMS – stopped 100 percent of automated bots, 99 percent of bulk phishing attempts and 90 percent of targeted attacks.
What types of two-factor authentication are available, and which one is best for my business?
There are four main kinds of 2FA, according to the TechCrunch article “Cybersecurity 101: Two-factor authentication can save you from hackers.” All of them have pros and cons, and the right method depends on which apps your business uses and what 2FA options they support.
1. Codes from authenticator apps. This involves users installing an app on their smartphones that generates temporary codes that serve as the second authenticating factor. Because these codes are securely relayed via an HTTPS connection, the only way hackers can get to that info is by infecting your phone with malware or acquiring the phone itself.
2. Codes sent via text message. This is the most common 2FA technique and doesn’t even require users to have smartphones, just phones capable of receiving text messages. However, SMS messages aren’t encrypted, which can lead to leaks. Hackers have also found vulnerabilities in phone networks that they can exploit to get their hands on these codes. As a result, codes sent via SMS are better than single-factor authentication but are probably the least secure 2FA method you can choose.
3. Biometrics. This is a more uncommon method, since it requires specialized tech. Think retina, face and fingerprint scans. Hackers can only get around this if they go to lengths like fingerprint cloning.
4. Physical keys. These keys are USB drives that you must insert into your computer to confirm your identity, and they’re considered the most secure 2FA option. However, not many sites currently support this method.
If you’d like to learn more about two-factor authentication and other cybersecurity solutions, our team of IT security experts can assist you. We offer 2FA as one of our data security solutions, and Stratosphere provides various managed cybersecurity products and services. We can help you determine which solutions meet your company’s specific requirements. Our security analysts can also perform an IT security assessment to define your needs and points of vulnerability.