Two factor authentication is rapidly becoming the new norm when it comes to password protection and online security.
We all know that we should take better care of our online security.
However, we do a crappy job of making sure that we have long, complex and unique passwords for every online service. Security breaches leaking passwords are common.
Enter “two-factor authentication”, also known as “2FA”, “multi-factor authentication”, or “two-step verification”.
Two-factor authentication is an additional step you complete when logging into a site. It is based on the premise that your data is safest when you sign in with both something you know (your password) and something you have (your phone or a security key).
CommArc Consulting security analyst Steve Brorens says the particular 2FA or MFA (MultiFactor Authentication) system you choose isn’t critical, as long as you choose one for each online service you log in to.
It’s also vital for remote logins to your systems if you’re a business owner.
With the increase in flexible working hours and locations and the ability to work from home, Brorens says it’s imperative that businesses invest in some sort of 2FA for accessing business systems.
“There may be the cost of time and set up initially, but not having 2FA for your business is like driving without a seatbelt. Sure, you might not get in an accident, but if you do, the odds of surviving are infinitely better if you’re strapped in.
“Similarly, the odds of becoming victim to a phishing campaign or your staff being hacked seem very remote. But if it happens, you’re going to wish you’d had something in place to protect you.
“There are many ways passwords can be snatched, leaked or guessed,” Brorens says. “If 2FA is not in place these can be immediately used to do Bad Things. With a second factor, in most cases, it’s next to impossible for the Bad Guy to actually do anything with the password.”
Most platforms now support 2FA, and while they can take a bit of time to set up, it’s worth the investment. They can use an app on your phone, a text message, a remote token or a list of codes that you carry around with you.
The premium option for 2FA is a physical USB security key, like Yubikey or Google’s Titan that you keep on your keyring.
These use Universal 2nd Factor (U2F), where the login process is completed with the USB device and the press of a button. The biggest disadvantage is the cost of the keys – about $60 each.
“Next best is One Time Password (OTP) systems using apps like Google Authenticator, Authy or Microsoft Authenticator on your phone,” says Brorens. These apps will require you to screenshot a QR code once when setting up 2FA, and then enter the (usually) six-digit code it randomly generates each time you log in.
Brorens says the simplest systems are those that “dial back” to your phone when you log in. You’ll either be prompted to press a specific key, or you’ll be texted a code to complete the login process. While slightly less secure than security keys, these are still a massive step up from nothing – and are very simple to setup and use.
Whichever system you choose, two-factor authentication is the new norm for passwords, says Brorens.
“The issue is that if all you have for protection is the secrecy of the password, we can’t protect you if that is compromised.”
“It might seem simple to “not allow someone pretending to be Steve to login from China at 3am” but what if you need to go there? It gets far too tricky to set up such rules.”
While facial and fingerprint recognition is the next stage in personal online security, until it’s widespread (and the bugs have been ironed out) you’re going to need some form of two-factor authentication.
- The New Zealand Government CERT website has a good overview page: https://www.cert.govt.nz/businesses-and-individuals/guides/keeping-yourself-safe-secure-online/two-factor-authentication/
- They also have a specific page for businesses at: https://www.cert.govt.nz/businesses-and-individuals/guides/cyber-security-your-business/two-factor-authentication-as-a-security-tool-for-business/