Two Factor Authentication, otherwise known as 2FA is here to stay. There was a time when concerns about cybersecurity were considered the domain of tech insiders and conspiracy theorists, and the average computer user was happy to go with something like Password1 or the name of a pet. But a quick look at the news shows that the list of companies that have experienced serious breaches includes many of the biggest names in online life like eBay, Facebook, and Twitter, alongside companies which deal with the data of millions of people, such as Dropbox, Equifax, and LinkedIn.
Checking your email on a site like haveibeenpwned.com will quickly show you exactly how many times your personal or work email address has been part of data breaches across the internet.
A lot of media treatment of hacking leads people to believe that attacks are sophisticated affairs, involving high-level coding performed by skilled and unscrupulous developers. But while highly technical attacks certainly exist, the vast majority of security breaches are the result of either stolen or weak passwords – Verizon’s 2017 Data Breach Investigations Report put this figure at 81%.
Close To Home
A common and relatively low-tech attack that has affected a number of New Zealand businesses recently is using hijacked email accounts to impersonate staff. Once a scammer has obtained a staff member’s email password they can then spend a short time studying the employee’s email correspondence to get a feel for their usual writing style, work schedule and so on. It’s then relatively easy for them to email a client or even their own financial services department with a request for funds transfer which seems legitimate at first glance.
Currently in New Zealand a number of law firms have been successfully targeted in this way – clients receive an authentic-looking email notifying them of a change in bank account details, and in cases where the client is already expecting a request for payment, and time is a factor – such as property settlements – scammers are often able to walk away with large sums before the alarm is raised. And remember, this kind of attack doesn’t involve genius-level hacking: it’s possible simply because a scammer got hold of a password – either because it was weak, or because it was stolen.
Combating the Risk of Weak or Stolen Passwords
The good news is that there are steps all users can take to keep their passwords strong, such as using different passwords across different services or using password managers. And there are some steps you can take to reduce the risk your passwords will be stolen.
But if you want to offer your customers an extra level of security, you might consider Two-Factor Authentication (2FA).
Also known as Multi-Factor Authentication or Two-Step Verification, 2FA calls for the user to provide two pieces of evidence to access their account. This is often expressed as combining “something you know” with “something you have”. We already do this with ATM machines – you need to know both your PIN number and have your bank card if you want to withdraw your money.
Of course, an ATM card is not a solution for online security, which is why most 2FA leverages smartphones to provide the second factor. The most familiar example is probably the One Time Password – where users receive a numerical code, or a string of letters and numbers, via email or text message. They are then required to follow their password with this one-time code, usually within a certain time limit, in order to access their account.
Sending huge numbers of text messages could quickly become too costly for some companies, so another method known as Time-Based One Time Password was developed. In this system, an authenticator app on the user’s smartphone generates a temporary passcode every 30 seconds or so, whether it is connected to the internet or not. The code is made up of a shared secret key and a timestamp, meaning unique passcodes are generated as time passes, and making the codes harder to fake. This is the system used by Twitter and Facebook, among others, when users enable 2FA on their sites.
So should you use Two-Factor Authentication?
The short answer is most likely yes! If you have employees, either on remote networks or in your offices, logging into business systems such as email and VPN or other line-of-business applications then 2FA will form part of a comprehensive security strategy.
The NZ Government’s cyber-security specialist cybersecurity site cert lists the benefits of 2FA as:
- strengthening login security
- meeting customer expectations
- reducing the risk of data theft
- protecting otherwise risky access methods such as remote access.
Many bank websites, cloud storage accounts and password managers default to 2FA. When it comes to cyber security there is no single answer to all possible issues, but a common sense approach involves taking a range of steps to ensure you are as well-protected as possible.
If you have further questions about security online, or other issues around IT support, don’t hesitate to contact us today.