Two-Factor Authentication ensures only trusted users have access to your network and data.
What Is Two-Factor Authentication (2FA)?
Two-factor authentication (2FA) is becoming increasingly prevalent in today’s business environment. With cyber criminals gaining access to networks and data by merely guessing commonly used user passwords, or using stolen credentials found or purchased on the dark web, 2FA incorporates an additional layer of protection into your existing security strategies to ensure users really are who they say they are. With hackers becoming more and more devious, it’s vital that you no longer rely solely on passwords as your only form of user authentication. Accounts must be secured by more than a single layer of security, which is where Two-Factor Authentication comes in.
Two-Factor Authentication works by requiring users to enter an additional code upon login to verify their identities. When a user tries to log in they receive a push notification on their device or generate a code using the app on their device. They are then prompted to enter that code, or approve the login via push, before being granted access. Because the unique code changes every time a user attempts to log in or after 30 seconds have passed, it becomes virtually impossible for a hacker to gain access, even if they know the user’s password. Due to how the code is transmitted to the other device, it’s also very difficult for it to be hacked.
However, some forms of 2FA are not foolproof. If a cybercriminal has access to a user’s cell phone or email account, they may be able to circumvent Two-Factor Authentication security by intercepting the authentication code. We make sure 2FA is enabled on users’ email accounts and use a premium 2FA provider called Duo to limit these kinds of threats.
One of our preferred 2FA/MFA vendors is Duo. Duo is designed to make it easy to implement 2FA at any business. It allows you to add users, look at device security reports, and more. Duo is designed to be compliant with a number of different regulations as well, including HIPAA. You can also configure policies to help approve or block access. For example, you can create a policy that blocks anyone attempting to log in from a country where you have no offices.
Implementing Two-Factor Authentication is not difficult, nor is it time-consuming or require you to purchase a lot of new hardware. When you decide to make use of 2FA, we will set you up with a Duo account and implement it across your network. The biggest change is on the employee side of things. Everyone will need to install the authentication app on their phones and enroll. Once that’s done, everyone can begin logging in using the new 2FA system.
Two-Factor Authentication Ensure Users Really Are Who They Say They Are.
Two-Factor Authentication (2FA) confirms a user’s identity before granting network access by making sure that a person approves the login with their mobile device. This prevents hackers from easily gaining access to the network simply by knowing someone’s login and password information. Without any sort of other authentication, anyone with the username and password can gain access to your network easily. All it takes is for one employee to write down their password and leave the note out where people can see it. That one small act circumvents your security and opens the doors to your network.
The problem of passwords doesn’t necessarily end just because users are creating strong passwords and are not writing them down, either. Many people use the same password in multiple places. This means if they’ve used a password that’s been compromised on multiple services it could be at risk. With Two-Factor Authentication, this isn’t an issue. The stolen username and password should be reported, of course, and the password should be changed immediately. However, there is no instant risk of your network being compromised unless the code was being sent to the user’s email and there is easy access to that email account on the computer. Even then, the thief would actually have to look at the user’s email to find the code.
Two-Factor Authentication Platforms
History has shown that passwords aren’t always enough. Cybercriminals can guess commonly used passwords, find passwords that have been written down, or deploy brute force attacks that use a script to enter all possible password combinations. Even passwords that are over six characters in length and contain a mix of upper and lowercase letters, numbers, and symbols aren’t 100 percent secure. Two-Factor Authentication (2FA) works to mitigate these threats by adding an additional layer of identity verification.
Two-Factor Authentication Verification Codes
As mentioned above, when a user attempts to log in to your network, they are given a push authentication to approve on their mobile devices. If they have a problem with the push they can also be prompted to enter the unique code that’s generated on their mobile device. Upon entering the correct code, the user is granted network access. If they enter the wrong code several times in a row, an alert will be sent to the IT team and the account may be locked to prevent further attempts to hack it. This is often similar to how an account is locked after an incorrect password is entered several times in a row.
The user may also have the option to label the device they’re using as trusted so they won’t have to repeat the authentication process every time they log in on that device. However, when logging in on a new, unrecognized device, they will be prompted to re-verify their identity by entering a new unique code. That means anytime a cybercriminal attempts to log in, they would also have to have email or cell phone access to infiltrate your network. This forces hackers to determine where the access code is going and hack that device or account as well, which is much more challenging. Most hackers are looking for a quick and easy way of stealing data, so they will move on to another target.
Two-Factor Authentication Biometrics and Key Fobs
Some advanced 2FA systems now incorporate biometrics or key fobs such as Yubikey. Our preferred 2FA vendor, Duo, also supports Yubikey so the user has to present a physical device they have possession of to authenticate. The user may have to press their finger against a fingerprint scanner or look into a camera with facial recognition before they can log in. Or in the case of Yubikey they have to insert the key fob and press the button on it. These options aren’t as popular as using an authenticator app simply because they require additional hardware that the company may not want to invest in. However, they may become more popular in the future when this type of equipment becomes much more commonplace.
Common Pushback on Two-Factor Authentication
While 2FA has been proven to be much more secure than standard passwords, some employers do still receive pushback on implementing it from their employees. One of the most common complaints they hear is that it adds complexity to logging in or takes more time. While this is somewhat true, the tradeoff of a minor inconvenience to the user for dramatically greater security to the company is worth it.
Another complaint is 2FA requires employees to install an app on their smartphone. While this is true, these apps take up very little space and aren’t a major drain on the phone’s battery or other resources. Employees may also be able to purchase an authenticator key fob device as an alternative. These small devices can fit on a keychain and provide the access code, though they may not be able to show all of the same information such as when someone attempts to log in or the log in the location that the app can. Receiving a phone call or requesting text messages may also be viable alternatives to downloading the app.
Some employees don’t understand why they need to have both a strong password and use Two-Factor Authentication. On their own, both are good security measures. When combined, however, they are much stronger. Those using only 2FA could be compromised if their phone is hacked. A strong password can be stolen via a keylogger program or compromised from another service if it used on multiple platforms. When used together, however, it’s much, much more difficult to gain unauthorized access to an account.
By pointing out the reasons 2FA is preferred over standard passwords, employees should recognize why it’s important to use it. While some may still express their unhappiness with the extra step required, entering the authentication code will soon become second nature to most.
2FA User Training Is Essential
Training your employees to make use of 2FA is necessary to avoid some of the pitfalls of this security measure. Walking users through the entire authentication process and being on-site to assist users having problems the first day of the rollout can go a long way to easing user adoption and happiness.
Employees will also need to learn to bring their authentication device to work regularly. Since many people will use the authentication app on their smartphone, this shouldn’t be an issue. However, you will need to have a policy in place in the event that someone loses their phone or their phone dies and they need a day or two to get a replacement.
Once your team is trained on Two-Factor Authentication, they do need to be reminded that it’s still important to follow password best practices. This includes using strong passwords and changing them regularly. 2FA is not a replacement for passwords, nor should it be an excuse to use weak passwords.
Los Angeles IT Support With 2FA
If you’re ready to take a proactive approach to protect your network by incorporating the latest security strategies into your IT platform, the experts at Be Structured are here to help. We’ll pinpoint industry-specific threats and work with you to develop a comprehensive network security solution that’s built around your operations. Get in touch with our team today, and we’ll start exploring how to better protect your network.