Time has marched on and there’s no getting around it: the password as we know it is dead. The information we keep online is too important to only safeguard with a single string of characters. Our security methods are evolving. The web pirates are constantly attacking and stealing passwords.
Essentially, web security has moved from the Captain America approach — using one shield for self-defense: a password — to the Batman approach, where a utility belt of tools contains options for a variety of situations.
One of the most important resources in that utility belt is two-factor authentication (2FA). It’s a very cost-effective measure that protects against key threat vectors. The cybersecurity industry calculates that users who enabled 2FA ended up blocking about 99.9% of automated attacks. What 2FA means is that bad guys now have an have an exponentially harder time to gain access to your systems and information.
Let’s dig in to 2FA: why it’s important, how it works, and how you can get started.
Two-factor authentication means that whatever application or service you’re logging in to is double-checking that the request is really coming from you by confirming the login with you through a separate venue.
You’ve probably used 2FA before, even if you weren’t aware of it. If a website has ever sent a numeric code to your phone for you to enter to gain access, for instance, you’ve completed a multi-factor transaction.
2FA is essential to web security because it immediately neutralizes the risks associated with compromised passwords. If a password is hacked, guessed, or even phished, that’s no longer enough to give an intruder access: without approval at the second factor, a password alone is useless.
2FA also does something that’s key to maintaining a strong security posture: it actively involves users in the process of remaining secure, and creates an environment where users are knowledgeable participants in their own digital safety. When a 2FA notification comes to a user, they have to answer the question, “Did I initiate that, or is someone attempting to access my account?” This underlines the importance of security with each transaction. While most other web security methods are passive, and don’t involve end users as collaborators, 2FA creates a partnership between users and administrators.
Different 2FA methods use varying processes, but they all rely on the same underlying workflow.
Typically, a 2FA transaction happens like this:
While the basic processes behind multi-factor authentication are generally the same across providers, there are many ways to implement it, and not all methods are created equal. Let’s dive into the various types of 2FA.
Generally, multi-factor authentication systems rely on at least one of the following approaches.
use internet connectivity to deliver login approval requests, which is more secure than using phone lines. DUO and Google Authenticator App are some of these types of Apps.
RSA makes the most recognized tokens.
ser a series of numbers, however, an app generates a one-time-use passcode that will quickly expire. Doing it this way means users can still use their authenticator app (which will generate TOTPs on demand), and no insecure phone lines get involved.
Because 2FA is a cloud-based service, it’s relatively easy to implement and can be rolled out gradually to your organization. The basic process for getting started goes like this:
AT-NET’s staff is very versed in 2FA and our services include setting up your company’s 2FA as a standard part of our engagements. In the post-password world, strong web security relies on a dynamic approach built from a variety of tools and policies. It’s important to never rely on any single method for comprehensive protection. That means two things: (1) if you’re currently relying on passwords alone, it’s time to evolve, and using 2FA is a solid first step; and (2) 2FA is an essential security tool, but it becomes even more effective when it’s used as part of a coordinated strategy of security applications and policies.