Password Security: Part Three – Two-Factor Authentication

In the first two segments of this three-part series on password security, we gave you the tools to both create and manage complex passwords for each of your online accounts. If you missed those posts, or just need a quick refresher, feel free to check them out before moving forward.

Part One (Implementing a Passphrase Standard)

Part Two (Managing Multiple Passwords)

With that information in hand, we’re ready to make the leap into a slightly more complex layer of password security, two-factor authentication. In this final installment, we’ll wrap things up by highlighting the benefits of implementing one of these services, while helping you decide which method may be right for you.

 

We’re Going to Need to See Some I.D.

Before we dive too deep into the topic, it’s best we take a look at the overarching idea of two-factor authentication (2FA). What is it? How does it help me? What are my options? The answer to these questions, and more, lie just around the corner. But, for now, let’s simply take a look at what 2FA is, and the service it provides.

Airline Analogy

To assist in making this complex topic easy to comprehend, let’s briefly reflect on a common experience, such as boarding a plane with your favorite airline service. For a moment, imagine you’re waiting in the TSA check lane, ticket in hand, ready to rush to your assigned gate. When you reach the counter and present your ticket, the TSA agent halts the process, asking to see some photo identification. While this slightly inconveniences your seamless travel experience, you understand that the agent is taking the proper steps to verify that the ticket belongs to you. Once he or she confirms that the name on your I.D. matches the one on your ticket, you’re free to continue the boarding process.

Keeping this analogy in mind, think of 2FA as a TSA agent of sorts. Whereas most login procedures simply ask that you enter one password (your ticket to board), employing a 2FA service requires you to provide yet another method of identification to login. For most use-cases, 2FA software can be downloaded to your smartphone via the app store. Once installed, the software must be linked to the account in question. While not every website supports 2FA, current security trends have forced many to adopt this practice. After linking your 2FA application to the desired account, the sign-in process will appear quite normal upon first glance. That said, after correctly entering your username and password, you will then be prompted with another verification screen, courtesy of your 2FA provider.

 

Great! So, What Are My Options?

Depending on the service used, you may be asked to use one of the following methods to prove your identification:

Biometric verification: For smartphone users, your application may ask to scan either your fingerprint, iris, or voice for you to gain access to your account. This method is by far the most effective, and can potentially provide you with the quickest login time.

Software tokens: Similar to the first approach, this process also requires you to have access to your smartphone while attempting to log into your account. These are randomly generated codes that are both created and displayed through your smartphone’s 2FA application. Because these codes continuously change each time you open the app, it adds a dynamic level of security to your account. Below, you can see both a screenshot of Facebook’s authentication prompt, and the token needed to access said account.

 

Side Note: When using this method, it’s important to highlight the benefit of generating a token within a smartphone application, versus those services that send codes via standard text messages. Simply put, when a code is sent via text message, there’s an increased potential for hackers to intercept said message before it reaches your smartphone. For example, check out Reddit’s 2018 breach, caused by the use of text-based 2FA.

Push notifications: Alternatively, instead of asking you to submit a randomly generated token, your 2FA provider may send a notification to your smartphone when a user is attempting to log into your account. By clicking on this notification, you can either approve or reject the login attempt. In the first image below, you can see what is displayed when a user attempts to login to a secured account. Once the individual selects “send me a push,” the following screenshot is what is displayed in the user’s smartphone application.

 

Static PIN: Some 2FA providers may give you the option of setting an additional PIN to use during account logins. While this method does provide an additional layer of security, it’s important to note that this technique is weaker than those previously mentioned. Like standard passwords, hackers can potentially use strategic methods to guess your PIN and gain access to your account. Therefore, we recommend using one of the aforementioned options.

 

I’ve Never Been Hacked. Do I Really Need This?

So, now that you understand what 2FA is, it’s best that we elaborate on its importance. To help put this into perspective, let’s take a brief look at Deloitte, one of the largest accounting firms in the United States. In 2017, The Guardian reported on a breach within Deloitte’s email server, which provided one hacking group with access to information from some of the organization’s largest clients, including four US government departments.

Now, for a brand that offers cybersecurity services to multinational banking companies, I bet you’re curious as to how this attack occurred. Well, what it boils down to is that Deloitte simply forgot to enforce 2FA on a single administrator account. Once this account was breached, hackers were given unrestricted access to all areas of Deloitte’s network, including the credentials of 244,000 staff members. From these credentials, the thieves were able to view the confidential information of Deloitte’s multinational clients.

While the technique used to conduct the attack has yet to be revealed, it’s important to understand that there are a variety of possibilities. As we discussed previously, one 2FA method is to generate random codes via a smartphone app. Unfortunately, while these codes expire after a certain period of time, there’s still an opportunity for a hacker to highjack these codes through phishing attempts. For those that need a quick refresher on what phishing entails, click here. Otherwise, know that cyber criminals are sending out fake, but convincing, emails, informing recipients of a false breaches that requires a password reset. Once the link is clicked, the user is sent to a fraudulent page, where they are prompted to enter both their password and 2FA code. Because it only takes one compromised account to infiltrate a company’s IT infrastructure, it remains paramount to conduct regular phishing testing within your organization. By scheduling a free trial of Rocket IT’s phishing prevention system, you can ensure your organization remains proactive in halting security breaches.

 

A Final Word of Advice.

Although implementing two-factor authentication is necessary to achieve a heightened level of security, it’s no replacement for a strong password. Instead, 2FA should be used to supplement the complex password you generated when following the steps listed in part one of this series.

Additionally, we do have one more word of caution. Because 2FA relies heavily on mobile applications, it’s important to follow your 2FA provider’s instructions on establishing a secure backup method. Taking this proactive measure will ensure you’re able to regain access to your account, should your phone be lost or stolen.

By implementing a cybersecurity trifecta of password complexity, management, and 2FA, you’ve laid the foundational building blocks of your organization’s security stronghold. With that said, it’s important to constantly monitor security trends, allowing you to maintain that frontline of defense. Therefore, we encourage you to regularly check the Rocket IT newsroom for updates. In the meantime, if you should have any questions pertaining to our series on password security, feel free to give us a call at 770-441-2520. Together, we can ensure your organization remains vigilant in protecting its assets.