What is Two-Factor Authentication?
The most common form of multi-factor authentication is two-factor authentication (2FA). As its name suggests, two-factor authentication combines two different methods to confirm a user’s identity.
In order of security levels, 2FA will ask users for validation by asking for proof of:
- Something they know – a PIN, address or answers to secret questions
- Something they have. – a card, email, FOB, iPhone, App or USB drive
- Something they are – a fingerprint, iris scan, or voice
A common example, in order to use a credit card online or over the phone, you may have to scan the card (#2 something they have) and enter a PIN (debit) or a billing zip code (credit) (#1 something they know). Adding a code sent to your email or mobile phone (#2 something they have) to authorize the purchase adds another level of security.
Good Passwords Aren’t Good Enough
Most websites, subscriptions, and/or apps only require a username and a password. While this is extremely convenient, it creates a data security risk. In a prior article, we covered the importance of good passwords in depth and why small business owners MUST know their logins, but good passwords and good data security practices aren’t always enough.
- You may give your password to someone, and they share it.
- You may reuse your passwords, so when one site is hacked, criminals try using those same credentials on bank account and investment sites.
Once someone is in your account, you’ve lost control. It’s like letting a burglar in the house. You can lock the doors after they leave, but it’s too late – they already have all your sensitive data.
Two-Factor Authentication Security Levels
The more data security factors you have in place, the more protection you have. But the quality of the factors themselves are also important. Criminals can easily find out your mother’s maiden name. Getting your fingerprint is much harder.
The most common 2FA step right now is to send a code to your mobile phone via email or text. You’ll receive an alert if someone TRIES to get into your account. While this process takes another 15 seconds to validate your credentials, it should be your default setting for:
- Anywhere you have superuser or admin credentials
- Bank, financial and investment sites
- Sites that store sensitive client information
- Email log-ins. Once criminals get into your inbox, they often find a treasure trove.
Managing Two-Factor Authentication
Your IT Policies and Procedures should require employees to use two-factor authentication for all websites and/or apps that contain sensitive or financial data. If you manage a website for your clients, a software development company (like us) can help you offer this added layer of security for your users.