Businesses and organizations of any size can experience cyber security attacks. Your business may be attacked simply because an attacker sees it as an easy target, rather than for any specific reason. If you provide services where your customers can login and access their data, they could also be at risk. Their account passwords could be stolen in a phishing attack, or easily guessed by an attacker.
2FA can be a solid defense for both your business and your customers, protecting access to both systems and accounts.
When your staff log into a business system, or when your customers log into their account on your website, they use a username and password combination. This is known as single factor authentication. 2FA requires them to provide something else on top of that, to verify that they are who they say they are.
There’s different types of 2FA verification, based on:
- something you have, or
- something you are.
Something you have could be:
- hardware, for example:
- security tokens and fobs assigned to a computer user that generate access authentication codes, or
- your phone, where you get a call back to press certain phone keys to grant access to an account
- software, such as an application like Google Authenticator that:
- sends a notification to your smartphone, or
- provides you with an access code or one-time password (OTP).
Something you are includes things like:
- fingerprint scans, and
- voice recognition (biometric data).
For example, your staff or customers could get a random 6-digit number or one-time password (OTP) sent to:
- an application on their smartphone, or
- a key fob.
They can use it to verify themselves when they’re logging in, in addition to their normal ‘username and password’ login details.
While an attacker may be able to get access to your staff or customer’s login details quite easily, they’re unlikely to have access to the device receiving the OTP as well. This makes it much harder for the attacker to gain access to someone’s account.
Benefits of 2FA
There are a number of benefits to implementing 2FA on your business systems, and providing it for your customers.
1. It strengthens login security.
2FA protects your business systems and your customer’s accounts from being accessed with just a password. Passwords can be weak, or reused across multiple accounts. They can also be stolen in a phishing or malware attack. 2FA can prevent these incidents as an attacker would also need ‘something you have’ or ‘something you are’ to get access to an account.
2. It meets customer security expectations.
Customers expect websites to provide 2FA so they can protect their accounts and data. When given the choice, customers may choose a business that provides 2FA over one that doesn’t. This shows that they see account and data security as a priority.
3. It reduces the risk of data theft.
Adding a second-level of authentication makes it harder for attackers to get access to an account — and harder to access the data inside.
4. It can protect risky access methods, like remote access.
Remote access to a system or network can be risky since it has to be exposed over the internet. This type of access should always use 2FA so your staff can be secure while they’re working remotely.
If you’re not sure where to start with 2FA, think about which systems you connect to via the internet. These are the systems that are more likely to be targeted in an attack, so they’re the ones most important to protect. It’s likely to be things like:
- your webmail
- a VPN
- any cloud-based service you use.
There’s no shortage of 2FA solutions on the market, but the approach and the technology they use can vary. Talk to your information security expert about the best solution for your business.
Implementing 2FA will vary from system to system. For cloud-based services, you may be able to enforce 2FA for all staff that have access to that service. For services that you manage or build yourself, you can refer to our critical controls for more advice.
Tip: Although 2FA is a great security measure to use, it’s not foolproof. You still need to implement other good security practices. You should also have a plan in place for what to do if something goes wrong.
Incident response: planning for when things go wrong