One of the most important parts of your IT security strategy is protecting your user logins. Users are notorious for adopting bad password habits like storing passwords insecurely and using weak passwords. They also tend to reuse passwords across multiple applications.
77% of all cloud account breaches are due to hacked or compromised passwords. While you can put policies in place to improve password security among your staff, passwords can also be compromised outside your company.
This happens all the time when large companies (Marriott, Target, etc.) have their defenses breached, which can lead to entire databases of user logins being stolen and sold on the Dark Web.
Compromised passwords cause all sorts of issues with compliance and business continuity, which is why many smart companies use two-factor authentication (2FA).
2FA is when you add another factor of authentication beyond just the username and password combination.
Standard Factors of Authentication
There are three main factors of authentication to ensure a user logging into a system is the legitimate account holder. These are:
- What you know: This is the most common factor of authentication, knowing your username and password. This can also relate to a challenge question.
- What you have: This is the most common form of 2FA, a code that is sent to a specific device in the user’s possession.
- What you are: This is a growing form of 2FA and is being used widely for mobile devices already. It involves the use of a biometric, like a fingerprint scan.
According to a study released by Google, the use of device-based 2FA can reduce account takeovers anywhere between 76% and 100%, just depending upon the attack type and the 2FA method being used. Not all of them are created equally.
Comparison of Different 2FA Methods
Text Message (Least Secure)
A common method of 2FA is to send a text message to a phone number that you’ve already authenticated with the system.
When you initially set up a text message-based authentication in a program like Microsoft 365 or your online banking, you’ll usually get an initial text with a code. This is to verify the device receiving the SMS messages sent to that number is in your possession.
Then, whenever you login, you’ll will typically click a button to send a code to your phone, receive it by SMS and enter it within a certain time (usually 5-10 minutes) to complete your login.
This is the least secure method of 2FA, when compared to other methods.
In the Google study, SMS was between 76% to 100% effective at blocking fraudulent sign-in attempts. The other methods studied were between 90% to 100% effective.
The reason this is less effective is because someone can get their hands on a SIM card for a phone or clone a SIM card, meaning they could get those text messages. Additionally, both Microsoft and Apple offer the ability to receive text messages on a computer, which gives hackers another potential avenue.
An authenticator app will be a specific app on your smartphone that sends you an on-device prompt. The app will typically generate a 6 to 8-digit passcode every 30 seconds that can be used for sign-ins on specific online accounts.
Authenticator apps are more secure than SMS because they are not tied to your phone number or SIM card. An example of one of these is Google Authenticator.
Using this type of 2FA is pretty much just as convenient as using SMS. You do need to ensure that the service you want to use 2FA for is compatible with the authenticator app you choose.
In the Google study, on-device prompts were 90%-100% effective at stopping account takeovers.
A fairly strong version of 2FA is through hardware authentication, this is also known as having a hardware key. This involves having a small stick that looks like a USB device. The security key can be used with both computers and mobile devices. A good example of one is YubiKey.
When you initially purchase the key, you set it up to work with your various accounts and it authenticates sign-ins using FIDO2 security protocols.
The Google study found security keys to be 100% effective against all types of attacks (automated bot, bulk phishing attacks, and targeted attacks).
Another extremely effective method of 2FA is biometrics. This is the use of a retina or fingerprint scan, or facial recognition to authenticate you as a user.
The drawback with biometrics is that it is currently only being used to unlock devices, like iPhones, or to log into some social media services. But it’s not widely used as yet across the web, making it difficult to use for all your various online accounts.
Get Help Setting Up Solid Authentication & Access Protocols
C Solutions can help your Orlando area business put the 2FA protocols in place that make the most sense for your users and that keep your accounts protected.
Schedule a free consultation today! Call 407-536-8381 or reach us online.