AT-NET Services can implement 2FA

2FA Two Factor Authentication

Two Factor Authentication: The Basics

Time has marched on and there’s no getting around it: the password as we know it is dead. The information we keep online is too important to only safeguard with a single string of characters. Our security methods are evolving. The web pirates are constantly attacking and stealing passwords.

Essentially, web security has moved from the Captain America approach — using one shield for self-defense: a password — to the Batman approach, where a utility belt of tools contains options for a variety of situations.

One of the most important resources in that utility belt is two-factor authentication (2FA). It’s a very cost-effective measure that protects against key threat vectors. The cybersecurity industry calculates that users who enabled 2FA ended up blocking about 99.9% of automated attacks. What 2FA means is that bad guys now have an have an exponentially harder time to gain access to your systems and information.

Let’s dig in to 2FA: why it’s important, how it works, and how you can get started.

Why Two Factor Authentication is an Essential Part of Web Security

Two-factor authentication means that whatever application or service you’re logging in to is double-checking that the request is really coming from you by confirming the login with you through a separate venue.

You’ve probably used 2FA before, even if you weren’t aware of it. If a website has ever sent a numeric code to your phone for you to enter to gain access, for instance, you’ve completed a multi-factor transaction.

2FA is essential to web security because it immediately neutralizes the risks associated with compromised passwords. If a password is hacked, guessed, or even phished, that’s no longer enough to give an intruder access: without approval at the second factor, a password alone is useless.

2FA also does something that’s key to maintaining a strong security posture: it actively involves users in the process of remaining secure, and creates an environment where users are knowledgeable participants in their own digital safety. When a 2FA notification comes to a user, they have to answer the question, “Did I initiate that, or is someone attempting to access my account?” This underlines the importance of security with each transaction. While most other web security methods are passive, and don’t involve end users as collaborators, 2FA creates a partnership between users and administrators.

How Does Two Factor Authentication Work

Different 2FA methods use varying processes, but they all rely on the same underlying workflow.

Typically, a 2FA transaction happens like this:

  1. The user logs in to the website or service with their username and password.
  2. The password is validated by an authentication server, and if correct, the user becomes eligible for the second factor.
  3. The authentication server sends a unique code to the user’s second-factor device.
  4. The user confirms their identity by approving the additional authentication from their second-factor device.

While the basic processes behind multi-factor authentication are generally the same across providers, there are many ways to implement it, and not all methods are created equal. Let’s dive into the various types of 2FA.

Types of  Two Factor Authentication

Generally, multi-factor authentication systems rely on at least one of the following approaches.

  • Authenticator Apps. Authenticator apps are exactly what they sound like: smartphone apps that handle the second-factor approval process as standard notifications. Authenticator apps such as
    DUO Support and Products
    DUO Products

    use internet connectivity to deliver login approval requests, which is more secure than using phone lines. DUO and Google Authenticator App are some of these types of Apps.

  • U2F devices. Universal Second-Factor (U2F) devices are similar to tokens: they’re small physical devices used exclusively to verify logins. Instead of attaching to a keychain like a token, however, U2F devices are designed to fit in an open USB slot. (Older models use USB-A ports, newer versions fit in USB-C slots.) When a user enters their password on a computer with a U2F device plugged in, they’re prompted to tap the physical U2F device to gain access. U2F devices are popular because they’re so easy to use — a simple tap and you’re done — but using one means giving up an available USB port, which isn’t always an option for all users.
    RSA Tokens
    RSA Tokens

    RSA makes the most recognized tokens.

  • Passcodes. Passcodes are the most common form of 2FA, and usually consist of a short string of numbers sent to a smartphone. Passcodes count as 2FA. Since they rely on phone lines, however — which can be compromised — they represent the least secure method. Passcodes aren’t a real hit with users, either: each code must be manually entered, which can be a nuisance.
  • Tokens. Many web security teams opt to arm their users with tokens. These typically are small keychain fobs that generate codes for users to enter as their second factor. Tokens are more secure than cellular-delivered passcodes, as they don’t rely on phone lines, but they don’t address the annoyance of entering codes. (In fact, they may make that worse, as you can’t copy and paste a code from a token.) Tokens are attractive because they are affordable and don’t require system administrators to collect phone numbers — but they’re battery-operated, and batteries die. Using tokens will mean dealing with the headache of timing replacements to avoid users losing access to crucial systems.
  • Phone callbacks. Phone callbacks are one of the less popular versions of 2FA, but they’re an effective — if time-consuming — way to implement a second factor. In a phone callback setup, once a user logs in, they receive an automated phone call that prompts them to approve or deny the access request. DUO also provides this type of service.
  • TOTP. Time-based One-Time Passcodes, better known as TOTP, are similar to passcodes. Instead of a service sending the u
    Two Factor Authentication in
    HMAC-based One-Time Password vs Time

    ser a series of numbers, however, an app generates a one-time-use passcode that will quickly expire. Doing it this way means users can still use their authenticator app (which will generate TOTPs on demand), and no insecure phone lines get involved.

Getting Started with 2FA

Because 2FA is a cloud-based service, it’s relatively easy to implement and can be rolled out gradually to your organization. The basic process for getting started goes like this:

  1. Determine which 2FA service you’ll be using. Remember: 2FA shouldn’t be your only security approach. A strong security platform will both make it easy to set-up multi-factor access with your most important apps and provide other avenues of defense, like customizable access policies. If you have ambitions of someday moving to a zero-trust model, a coordinated approach that includes, but isn’t limited to, 2FA is essential.
  2. Establish a proof of concept with a small group of users in a low-stakes environment. Before you roll out 2FA to your entire organization, test it out first and address any issues you identify. Get a small group of users who will be communicative about the process and work with them ahead of time to understand how it will work for them.
  3. Enable 2FA using integrations for each service or application you’re protecting. To set up a specific application or service to work with 2FA, you’ll need an integration — a means of getting the application or service to work with 2FA. However, you choose to move forward, make sure you’ve got a plan for integrating each of your critical systems with your 2FA service.          Duo for Office 365

Conclusion

Google Mobile 2FA
Google Authenticator App

AT-NET’s staff is very versed in 2FA and our services include setting up your company’s 2FA as a standard part of our engagements.  In the post-password world, strong web security relies on a dynamic approach built from a variety of tools and policies. It’s important to never rely on any single method for comprehensive protection. That means two things: (1) if you’re currently relying on passwords alone, it’s time to evolve, and using 2FA is a solid first step; and (2) 2FA is an essential security tool, but it becomes even more effective when it’s used as part of a coordinated strategy of security applications and policies.

To learn more about our Managed Services go to our Managed Service Provider page.

Level-Up with Proven Infrastructure & Security Solutions

Get Your Business Proposal