Two-Factor Authentication (2fa) is something we’ve written about before. Click here to read an older post about it, or here to read more about Nate’s book – The Cyber Security Guide. Knowing the importance of 2fa and its uses is a top priority in the tech world since it continues to help bridge the gap of cybersecurity. Today we will do a deeper dive into 2fa – more details about what it is, how to use it, and why it’s important.
Some of the best things in life come in twos…like coffee and creamer, pizza and soda, spaghetti and meatballs, peanut butter and jelly. Security is often the same. You have two locks on every door in your house. Why? Well, the hope is that if one fails the other won’t. Two-Factor Authentication is the same concept. EXCEPT - in the cyber world, you want to make sure that if one passcode fails, the second one will not.
SO WHAT IS TWO-FACTOR AUTHENTICATION ANYWAYS?
Two-factor authentication (2fa) is a method of establishing access to an online account or computer system that requires the user to provide two different types of information.
A factor in this context simply means a way to convince a computer system or online service that you are who say you are, so the system can determine if you have the rights to access the data services that you're trying to access. By far the most common authentication factor in use today is the username/password pair, and since most accounts only require a password for access, most systems thus use single-factor authentication for security. With two-factor authentication, you'll need to both provide a password and prove your identity some other way to gain access. Fruhlinger, J. (2019, September 10). 2fa explained: How to enable it and how it works. CSO Online. https://www.google.ca/amp/s/www.csoonline.com/article/3239144/2fa-explained-how-to-enable-it-and-how-it-works.amp.html
2fa might seem like it has one too many steps to take in order to keep one secure. You might think you don’t have anything interesting that someone would want to steal. But criminals are looking for any reason to get into your accounts and save your information for a rainy day. It’s easy to think that our passwords are hackproof, but the numbers tell a different story.
1. A Google survey found that at least 65% of people reuse passwords across multiple, if not all, sites.
2. Another recent survey found that 91% of respondents claim to understand the risks of reusing passwords across multiple accounts, but 59% admitted to doing it anyway.
3. Microsoft recently announced that a staggering 44 million accounts were vulnerable to account takeover due to compromised or stolen passwords.
4. The average person reuses each password as many as 14 times.
5. 72% of individuals reuse passwords in their personal life while nearly half (49%) of employees simply change or add a digit or character to their password when updating their company password every 90 days. These forced resets are an ineffective tactic. Jacobson, K. (2020, April 30). 8 Scary Statistics about the Password Reuse Problem. Security Boulevard. https://securityboulevard.com/2020/04/8-scary-statistics-about-the-password-reuse-problem/
When we dig deeper into the stats, we can quickly find out how risky reusing a password is, and how quickly we could find ourselves in a predicament with our information in someone else's hands.
The average computer is subject to a hacking attempt every 39 seconds, according to University of Maryland study. The first entry point a hacker will try is almost always your password. And if you reuse a password from one site to the next, a breach at one site will often result in your account being compromised on others. Ubaid, M. (2019, November 16). Why you should never reuse a password. Tom’s Guide. https://www.tomsguide.com/reference/why-never-reuse-password#:%7E:text=The%20first%20entry%20point%20a,account%20being%20compromised%20on%20others.
We are all guilty of reusing an old password over and over again. It’s easy to remember and we can arrogantly think, “Well, I haven’t been hacked yet…” That is not a good thought process to have. Placing our cybersecurity first and protecting our applications and information is the best way to protect ourselves and our businesses. As we can see from the numbers, one attack could cripple a company or an individual. We have our trusty password that holds down our email, computer, and bank account. While this may be simple, it’s very risky and can leave quite a few open “back doors” to your cybersecurity.
SO DOES IT WORK?
According to the experts, 2fa is one of the most secure ways to protect yourself from a cyber-attack. As Nate Sheen writes in his book, The Cyber Security Guide: “2fa is important, as it cuts down on the chances of a brute force attack. This is where a hacker will persistently attack your account with login attempts in the hope of guessing your password. Even if they guess if correctly, they then will need access to your email or cell phone… Even with 2fa you should have strong unique passwords.”
Multi-factor authentication (MFA) works by combining “something you know” (i.e., your credentials) with “something you have” (i.e., a time-based one-time password, or TOTP, generated by an authenticator app often downloaded on your phone) to gain access to IT resources. At login, users present the two factors, and if they are correct they will be granted entry. MFA is proven to be more effective than just using credentials because, while it’s comparatively easy to obtain user credentials via phishing attempts or credential stuffing, bad actors cannot obtain a user’s second factor for authentication without going to greater lengths, which they often will not do. Instead, they’ll likely move on to the next potential victim. Coco-Stotts, K. (2020, April 29). How Effective is Multi-Factor Authentication? Security Boulevard. https://securityboulevard.com/2020/04/how-effective-is-multi-factor-authentication/#:%7E:text=MFA%20is%20proven%20to%20be,they%20often%20will%20not%20do.
SO NOW WHAT?
Here we are in the “How To?” section. How do we set up a strong 2fa and secure ourselves in the most optimal way? Here are a few ways you can set up a secure 2fa on all your devices:
1. Through a text message code.
This is a quick and easy way to get started with 2fa, though you should also follow other safety steps to ensure further security. SMS 2fa is the most common form of code sent through SMS. However, it can easily be compromised by hackers. Especially if your phone is lost or stolen.
This encompasses a couple of different things, from facial recognition to a fingerprint. It’s not all that different from putting your fingerprint into your smartphone. Your face is not something that can be duplicated or faked like a password or by answering security questions. This brings a level of security that surpasses most security precautions.
3. A physical key.
Now you might be thinking I’m crazy - isn’t this a little old school? A pirate with a treasure chest type key? Well, your security is a treasure that many hackers would like to get their hands on. Having a Security USB key that you keep with you at all times on your key ring could be the only thing that keeps a hacker away from your business. Even if a hacker makes it through your 2fa and passwords, without the USB security key, they can’t go any further.
Finding the right security key for you will take some research. There are many different USB security keys out there, and they each have their own features and options. This article from reviewgeek.com, gives us a few things to consider when trying to determine which is the best fit for you:
Price and Setup: Security keys have a fairly narrow price range, typically between about $20 and $50, so you don’t have to worry about dropping a few hundred bucks on one or anything. The keys should also be super easy to set up and use on demand.
Device and Account Compatibility: Every hardware key is not created equal. Some connect to your computer via USB-A or USB-C, while others only support Apple’s Lightning ports. Newer options can even support Bluetooth and NFC, making them compatible with smartphones. Make sure that the key you choose will work with all the devices you want to use it on, from macOS and Windows to Android and iOS.
Durability: Because a security key is something you’ll potentially be using every day, it’s critical that it has a durable design made of high-quality materials. The metal connectors that connect with those in your device’s USB port should be sturdy enough to stand up to thousands of uses. The best security keys can withstand being dropped (or having something dropped on it), and are water-resistant, too. Humphries, S. (2020, December 8). What is a USB Security Key, and Should You Use One? Reviewgeek. https://www.reviewgeek.com/63448/what-is-a-usb-security-key-and-should-you-use-one/
4. An Authenticator App.
This is an app you would download to your phone or computer. Whenever you log in, a unique code is sent to you through the app. Now you have a one-time-only unique code that changes every time you log in…keeping the hackers far away. There are many authenticator apps out there to choose from. Google Authenticator is the most common and trusted app among users.
Using it is very simple and can introduce beginners to the basic premise of most 2FA apps. What you do is enable two-factor authentication on your services such as Facebook, Gmail, Dropbox. etc. Once it’s enabled, the service will ask you to take a snapshot of a QR code using the app—Android users need to download a QR code reading app to work with Google Authenticator. Paul, I. (2019, June 5). What is two-factor authentication, and which 2FA solutions are best? PCWorld. https://www.pcworld.com/article/3225913/what-is-two-factor-authentication-and-which-2fa-apps-are-best.html
BUT I HAVE A BUSINESS - HOW DO I BEST GO ABOUT PROTECTING IT FROM AN ATTACK?
Forming a protective plan before you are attacked is the best way to fully protect your company and your employees’ information. Anticipating an attack in the cyber world is just smart planning. We don’t know when or how this could happen but putting safeguards in place is the best defense. We want to build those security walls around our businesses to keep them safe.
As Nate Sheen writes in his book The Cyber Security Guide: “You should enable 2fa on every account you have. If a provider has this as a choice, you should add it now. Many financial institutions have this in place but may not require it. You may need to request it as a feature on your account. If they do not have this feature, many have fingerprint ID or face ID as a choice, which gives you more security than a simple password.”
But perhaps you would like to take it a step further or just want an expert’s help to establish a safe network for your company or for your own personal security? Datacom Technologies offers a variety of options to help you prepare for any attack. Along with monthly plans to help you better protect yourself, we also will walk through the process with you and help create a unique, structured, security option just for you. You can visit our website here to connect with us directly or call us at 330.680.6002.
Be sure to get your own copy of Nate’s book - The Cyber Security Guide, for more cybersecurity tips for protecting you and your company.