25 September 2018

Passwords aren’t enough anymore.

Despite better alternatives, usernames and passwords remain to be the most common form of user authentication for “secure” services. If recent history has taught us anything, it is that usernames and passwords can be easily breached through phishing attacks, virus infections, social engineering and a plethora of other attack vectors.

Having a username and password compromised can often give an attacker access to multiple online services given the common mistake users make of reusing the same password across multiple websites. Therefore, if an intruder gains access to any of your online services they will also try the same credentials to gain access to your other services such as your Dropbox account, online webmail, or Facebook account.

Introducing “Two Factor Authentication!” (2FA) 

2FA is an extra layer of security that not only requires a username and password, but also something that only the real user has access to.  This step makes it much more difficult for potential intruders to gain access and steal that person’s identity or data.

2FA is not new – We’ve been using it for years for services such as online banking through the use of one-time-code fobs. However, 2FA has now become common practice to control log ins into many online services such as Webmail, cloud accounting software, CRMs, remote access to work networks and much more.

This second authentication factor can be:

Something you know: Secondary password, private pin, answers to “secret questions”
Something you have:  Bank card, Code fob, Smartphone, Digital Certificate.
Something you are:  Bio-metric patterns such as an eye-scan or fingerprint

The most common form of 2FA is the ability to have a security code sent to you via text message (SMS).  To enable this feature one usually just goes to the Account/Security section of the online service and registers the phone number.  SMS verification is a great way of improving the logon security of the service. However, it is not an invincibility cloak and note that it is possible to have sim cards cloned in order to gain access to these SMS codes.  Through social engineering and identity theft, attackers can often coax your mobile phone provider into sending them a sim card which your phone number attached! A better 2FA alternative to SMS codes is to use an Authenticator app such as Google Authenticator or Microsoft Authenticator. Here, the security code is generated through a pre-configured, authorised smartphone app.

2FA should be a key factor when you are deciding on which provider or software solution you are going to implement for your business. If you are using a password management tool (such as LastPass or iPassword) to manage your passwords, you should also use 2FA to protect access to these valuable passwords also. Not sure if your service provider allows 2FA? – check it here – https://twofactorauth.org/

Have questions on 2FA – Feel free to reach out through the comments or contact us section!