Two Factor Authentication: Why, When and How

We’ve heard about cases in the news, and some of us have personally experienced having our credentials stolen by cyber criminals and used for malicious purposes. It’s become so frequent that people have become numb to it. How many times have you seen someone post on their social media account that they’ve been hacked or that their credentials were stolen?

This blog post will discuss two factor authentication – when you should use it, and what techniques are available to help prevent the theft of credentials and protect against unauthorized access.

Before we discuss types of technology that can be used, let’s determine where we can use two-factor authentication and why it’s needed. Some of the more notable sites that now offer two factor authentication, which requires two forms of identification to login to an account, are Facebook, Dropbox, Twitter, Google, financial institutes, etc. There was a major push to provide two factor authentication to customers after user accounts to these sites were being either phished, or credentials were guessed/ stolen at extremely high rates. Twitter found this out the hard way when the Associated Press’ Twitter account was compromised and attackers falsely reported that there was an attack on the White House, injuring President Obama. This obviously caused widespread panic and impacted the financial markets trading. As a result, Twitter quickly added two-factor authentication to their accounts.

In additional to personal security there are business reasons for using two factor authentication for sensitive accounts. While it might not be practical to use two-factor authentication for every account, you should establish criteria to determine which accounts it’s relevant for. Here are a few examples of where two-factor authentication should be used in business:

• VPNs and remote access – any employee access from outside the network into your internal network should use two-factor authentication.
• Third party cloud sites – any SaaS site that you use to store, manage, or transfer business data should be running two-factor authentication. If you can access the data with only a password over the internet, so can the bad guys.
• Sensitive accounts – there are certain accounts in your network, and you know what they are, that handle sensitive data and should be accessed using two-factor authentication. For example, all Windows Domain Admins should have two-factor authentication enabled on their accounts to verify that the person logging into the network as admin is truly the admin. If an attacker gains access to a domain admin account, it’s game over.

Now that we have an idea of where two-factor authentication should be used in your organization, let’s review a few types of authentication methods:

• Grid Cards – with grid cards the user is prompted to enter coordinates from a physical piece of paper after supplying the proper password to the application.
• Biometrics – this one’s been around for a while and it relies on the concept of analyzing “something the user is” rather than “something the user has”. It uses a physical part of the user, such as a retina or fingerprint, to verify the identity of the person.
• Tokens – a token is physical device that displays characters that change at set intervals. When a user logs in they also have to check their physical token and insert the current characters displayed on it, as second authentication factor.
• SMS – with the emergence of mobile phones we’ve seen many companies use smartphone as a second method of authentication. For this method, the users inserts a code sent to his/her phone as the secondary authentication. The mindset around this is that since most people use their phones for themselves, it’s a unique enough method to send the second factor of authentication.
• Mobile – similar to the SMS method you can download an app to your phone that serves as token. Like the physical token the app displays characters that change at set intervals, which the users inserts into the online application.

With millions of accounts and data being compromised every single day two-factor authentication is a no-brainer for both personal and business accounts. Make sure your vendor offers this type of authentication before using their services to handle your sensitive data.