Two-factor authentication, or 2FA, is becoming a necessity in today’s world of security breaches. When you allow a single set of credentials to play the only role in authentication, one compromised set is all an attacker needs to steal or manipulate company data. Adding a second factor makes it much harder for malcontents to cause damage, which makes 2FA attractive for organizations looking to boost their security posture. For those of you getting your feet wet in the world of 2FA, our beginner’s guide to 2FA will teach you the basics of 2FA, what it protects against, how users obtain second authentication factors, and more.
Are MFA and 2FA the Same?
Multi-factor authentication (MFA) and 2FA rest under the same umbrella, but have subtle differences. Both terms apply the same concept to identity security, but MFA implies there could be more than one or two factors required for authentication, while 2FA strictly refers to the second factor. If you’re attempting to access a resource that has MFA or 2FA enabled, you’ll need at least one additional factor in addition to your password in order to access the resource they’ve been applied to. Think of it like this: Your password is something you know, and the second factor comes from something you have, like a code from your smartphone.
What Can 2FA Protect Against?
Some people see 2FA as a nuisance because it has the potential to interrupt workflows. But, what equates to a minor inconvenience actually pays large security dividends in the long run. Let’s take a look at a few examples of what 2FA protects against.
Just about everything a user accesses via their system happens by way of authentication. To get into the computer itself, you need a password. If you want to access a web-based application, enter a passphrase. Networks? Same thing.
According to Security Magazine, business users average about 191 passwords, which is a lot to remember. To remedy their password fatigue, sometimes users pick weak passwords that are easy to guess to save themselves from having to remember so many of them. When users do this, bad actors don’t face much resistance when trying to get into a resource. If they can obtain at least one set of credentials from a user, they can try that same set on various resources that need authentication and gain entry. Alternatively, they can crack the password with a piece of software. But, if 2FA is set up to protect whatever resource the malicious actor is after, a single form of authentication won’t be enough to gain access, and they’ll be stuck at the login portal.
Bad actors send out emails that look and feel like official correspondence from a company you know and trust. Many times they ask you to reset your password, and if somebody falls for it, their password is compromised. But if you have 2FA enabled, it provides the peace of mind of knowing a bad actor can’t access a resource, and you have time to change the password. Realizing this benefit only requires you to start implementing 2FA and sourcing your second factor.
Where Do Second Factors Come From?
When you sign up for a new service, you’re often given options for how you want to implement 2FA. Some give you the choice to use a code sent to you via SMS. Others let you source your second factor from an authenticator app, like Google Authenticator™. And even if you don’t set up 2FA when a new account is created, you can go through the settings of most apps and implement it there.
Different 2FA Sources
Different 2FA tokens are more secure than others. For more information about how secure each one is, check out Google’s security blog. Here are a few for reference:
- Text Messages: Some services let users input codes sent to them via text message to access services. This is perhaps the most common method, but beware, bad actors can intercept these codes via SIM card swapping. Essentially, bad actors convince mobile carriers that your phone has been lost or damaged, and the carrier sends them a new SIM card. With that SIM card comes all the text messages and phone calls that you should be receiving but aren’t — including your 2FA codes.
- Authenticator Apps: Stored on your cell phone or desktop, applications like Google™ Authenticator, Duo®, and others utilize time-based on-time passwords (TOTP) to secure identities. These codes regenerate after a set period of time, so trying to guess one is nearly impossible. Plus, they’re very easy to set up. A common workflow looks like this: Link your account, scan a QR code, and use the app every time you need to use a second form of authentication to access your system, applications, and networks.
- Physical Keys: Tools like Google Titan™ and Yubikey plug into a system’s USB port and act as the second form of authentication — but some can also connect via Bluetooth. It is important to note that different keys have different abilities. Some only protect web-based applications and others can be used to act as a second factor for systems. Knowing the abilities of each can save you trouble later.
Find the Right Vendor
First, make sure that whatever IT resources you want to apply 2FA on support it. We suggest using 2FA on as many resources as possible — including networks. But, this can’t be done without the right vendor, so choose wisely.
To learn more about 2FA, such as where you can apply it and how, drop us a line. Or, visit our 2FA page to learn all the ways you can use 2FA to increase your security. If you’re the type to get your hands dirty, sign up for a free account and start implementing 2FA for the resources of up to 10 of your users at no cost to you.