If you want to keep yourself protected from the majority of hacking attempts, you should be using 2 Factor Authentication (2FA). You may also see this referred to as Multifactor Authentication (MFA) or One Time Passcode (OTP). For the purpose of this post, I’m going to refer to 2FA. There are many different ways to implement 2FA and they are not as inconvenient as you may think.
The fundamental premise behind 2FA is that in addition to your username and password, you have to use a second factor along with your password, to be authenticated and complete your logon. While in the past, 2FA was mostly confined to large corporate enterprises and the financial industry, this has rapidly changed in recent years and 2FA is available just about everywhere. If you’re not using it, you’re leaving yourself at risk.
Do you know someone who you have received an email from, alerting you that their email account has been hacked and to ignore unexpected email from them? How about a friend request on Facebook from someone you are already friends with? Chances are, you will also see a post from that person letting all of their friends know that their profile has been hacked and not to accept a friend request from them. Sound familiar? I’m sure it does.
The fundamental premise behind 2FA is that it comprises “something you know” and “something you have.” The “something you know” is typically a PIN, like the code you use with your credit/debit card. The “something you have” is a single use code that is generated by a device or app that you have in your physical presence. These one time use codes may be alpha numeric or just numeric. These codes used to be generated by physical tokens that were a fob that most people carried on their keychains. These days, most are now generated by what is commonly referred to as a “soft token”, which is an app that lives on your smartphone. When you login to a system that is protected by 2FA, you enter your username and password, and then on either an additional field that asks for your code or a prompt that shows up after you enter your username and password, you enter your PIN (that only you know) and your one time code (that you have). The combination is authenticated against your 2FA system and you are logged in.
Most web based systems support this type of authentication as well. Google’s Google Authenticator has become a standard for many. You just have to enable it and follow the simple directions to set it up. Another option many web based services offer is a one time code that is sent as a text message or email. I don’t like receiving these codes via email, as that is too easily open to interception. A text message is more secure, though with the right tools, to clone a smartphone SIM card, these could be intercepted. It’s far less likely to be a security concern for most people.
There are differences in 2FA technologies. The “token” based systems, that require a PIN to be combined with the random code are the most secure. Again, this is because of the “something you know” and “something you have” combination. Systems that only require a OTP generated by an authenticator app or from a message you receive are another. These do not require the “something you know”, meaning a private PIN that only you know. Instead, they only require the OTP as the second factor. This is still 2FA and it is still far more secure than not having any 2FA in place. In corporate networks, you will typically find the combination PIN + code systems. For public web based systems like email services and social media sites, you will find their implementation of OTP’s.
Regardless of the underlying technology, 2FA helps defeat the most common source of hacking, weak passwords. Most hacks are accomplished by guessing a users password. 2FA prevents this and provide a level of identity assurance, matching the logon to the actual person.
There are more an more 2FA solutions coming to market and the best also offer something called Single Sign On (SSO). If you are interested in learning more about 2FA and now to use it in your workplace, check out one or more of the following companies; Duo, AuthAnvil by Kaseya, Okta, RSA. To learn more about how web based systems make 2FA available, check out these pages to learn how to secure yourself on these systems; Facebook, Google, LinkedIn, Twitter. I am not endorsing any of these companies, though I will say that I respect each and have worked with them throughout my career. Any time you have to login to a system, including your bank, search two factor authentication and see what they offer to help you further secure your account beyond your username and password. The links above are good examples and solutions that will serve you well.
If your company does not presently offer 2FA, expect them to require it in the not too distant future. It’s becoming a standard and how I have worked for many years now. For any web based systems that you use, search their help system to see if they support 2FA and if they do, enable it. Before you know it, you will not even mind the extra step to complete your logon and you will have taken the easiest and most important step that you can to safeguard your accounts and your identity. As the Nike slogan so aptly states, “Just Do It!”