History has shown that passwords aren’t always enough. Cybercriminals can guess commonly used passwords, find passwords that have been written down, or deploy brute force attacks that use a script to enter all possible password combinations. Even passwords that are over six characters in length and contain a mix of upper and lowercase letters, numbers, and symbols aren’t 100 percent secure. Two-Factor Authentication (2FA) works to mitigate these threats by adding an additional layer of identity verification.
Two-Factor Authentication Verification Codes
As mentioned above, when a user attempts to log in to your network, they are given a push authentication to approve on their mobile devices. If they have a problem with the push they can also be prompted to enter the unique code that’s generated on their mobile device. Upon entering the correct code, the user is granted network access. If they enter the wrong code several times in a row, an alert will be sent to the IT team and the account may be locked to prevent further attempts to hack it. This is often similar to how an account is locked after an incorrect password is entered several times in a row.
The user may also have the option to label the device they’re using as trusted so they won’t have to repeat the authentication process every time they log in on that device. However, when logging in on a new, unrecognized device, they will be prompted to re-verify their identity by entering a new unique code. That means anytime a cybercriminal attempts to log in, they would also have to have email or cell phone access to infiltrate your network. This forces hackers to determine where the access code is going and hack that device or account as well, which is much more challenging. Most hackers are looking for a quick and easy way of stealing data, so they will move on to another target.
Two-Factor Authentication Biometrics and Key Fobs
Some advanced 2FA systems now incorporate biometrics or key fobs such as Yubikey. Our preferred 2FA vendor, Duo, also supports Yubikey so the user has to present a physical device they have possession of to authenticate. The user may have to press their finger against a fingerprint scanner or look into a camera with facial recognition before they can log in. Or in the case of Yubikey they have to insert the key fob and press the button on it. These options aren’t as popular as using an authenticator app simply because they require additional hardware that the company may not want to invest in. However, they may become more popular in the future when this type of equipment becomes much more commonplace.
Common Pushback on Two-Factor Authentication
While 2FA has been proven to be much more secure than standard passwords, some employers do still receive pushback on implementing it from their employees. One of the most common complaints they hear is that it adds complexity to logging in or takes more time. While this is somewhat true, the tradeoff of a minor inconvenience to the user for dramatically greater security to the company is worth it.
Another complaint is 2FA requires employees to install an app on their smartphone. While this is true, these apps take up very little space and aren’t a major drain on the phone’s battery or other resources. Employees may also be able to purchase an authenticator key fob device as an alternative. These small devices can fit on a keychain and provide the access code, though they may not be able to show all of the same information such as when someone attempts to log in or the log in the location that the app can. Receiving a phone call or requesting text messages may also be viable alternatives to downloading the app.
Some employees don’t understand why they need to have both a strong password and use Two-Factor Authentication. On their own, both are good security measures. When combined, however, they are much stronger. Those using only 2FA could be compromised if their phone is hacked. A strong password can be stolen via a keylogger program or compromised from another service if it used on multiple platforms. When used together, however, it’s much, much more difficult to gain unauthorized access to an account.
By pointing out the reasons 2FA is preferred over standard passwords, employees should recognize why it’s important to use it. While some may still express their unhappiness with the extra step required, entering the authentication code will soon become second nature to most.
2FA User Training Is Essential
Training your employees to make use of 2FA is necessary to avoid some of the pitfalls of this security measure. Walking users through the entire authentication process and being on-site to assist users having problems the first day of the rollout can go a long way to easing user adoption and happiness.
Employees will also need to learn to bring their authentication device to work regularly. Since many people will use the authentication app on their smartphone, this shouldn’t be an issue. However, you will need to have a policy in place in the event that someone loses their phone or their phone dies and they need a day or two to get a replacement.
Once your team is trained on Two-Factor Authentication, they do need to be reminded that it’s still important to follow password best practices. This includes using strong passwords and changing them regularly. 2FA is not a replacement for passwords, nor should it be an excuse to use weak passwords.