How to apply a 2FA policy in your organization
While there is no way to guarantee foolproof login security, there are ways to strengthen your security measures and make it more difficult for hackers to infiltrate your systems. Specifically, two-factor authentication (2FA) is rapidly becoming the new baseline security measure for both small and large businesses across a wide variety of fields. For MSPs, this shift offers the opportunity to provide your customers with stronger cybersecurity and reduce the number of cyber incidents you need to handle. This can reduce an MSP’s costs and help increase the availability of their resources.
What is two-factor authentication?
Two-factor authentication (2FA), sometimes referred to as two-step verification, is a security process that involves users providing two separate forms of authentication in order to verify their identity and obtain access to an account or other sensitive materials. The basic premise is that while many hackers can break through a password or other knowledge-based security method, it’s much more difficult to intercept the second layer of security that’s involved in 2FA.
The basic level of security that most businesses employ is called single-factor authentication. This typically involves the use of a user ID and password, which can easily be stolen. 2FA uses the username and password as the first of its two parts, but the second part can take one of several forms—each of which are discussed in greater detail in the next section. In general, the second form of authentication should be much more difficult for a potential hacker to acquire.
While many accounts previously utilized knowledge-based authentication as a second layer of security if a user were to forget their password, this process leaves accounts vulnerable to attack. In the digital age, it’s becoming increasingly possible to track down information like a mother’s maiden name or the name of a user’s first pet. Instead of relying on knowledge-based authentication, 2FA asks that users provide proof of something that is truly unique to them. This is typically proof of possession, like a smartphone authentication code, or proof of identity, like some kind of biometric data.
How does two-factor authentication work?
In terms of the user’s experience, two-factor authentication works according to the following steps:
- First, the user attempts to access an application or website and will be prompted to log in.
- The user enters the information that they know—this is typically the standard single-factor authentication of a username and password combination. The site’s server uses this information to identify the user and find a match.
- From there, the site prompts the user to begin the second login step. This is the 2FA component that usually depends on some form of possession, whether it’s a smartphone, a security token, or a biometric.
- The user then enters the one-time password (OTP) or code that they receive through their physical possession. If the 2FA process is based around biometric data, they will be prompted to provide a fingerprint or a face scan.
- Once both identification factors have been entered and verified, the user is authenticated and given access to the website or application.
Steps 4 and 5 are the key components of 2FA. In reality, the question of how 2FA works really comes down to understanding the different forms that the second authentication factor can take, as well as the ways that these different factors can enhance cybersecurity. There are a few main categories that authentication factors can fall into. These are:
- Knowledge factors: This is information that a user knows, like a password or a PIN number.
- Possession factors: This is authentication that relies on something that the user owns, like an ID card, a phone, or a security token to approve authentication requests.
- Biometric or inherence factors: These are factors that are inherent to the user’s physical being, like a fingerprint or voice and face recognition.
While knowledge factors are usually used as the first authentication factor, possession and biometric factors usually make up the second element of 2FA. There are several ways a possession factor can be implemented for authentication. These methods include:
- Text messages: This is the most popular form of 2FA. Following a successful username and password login, the user is sent a verification code via SMS to their phone. They then enter that code into the application or website to gain access. This is an easy and cost-effective method of verification.
- Email: In this form of verification, a 5 – 10 digit code is sent to a secondary email so that the user can confirm their identity. This method has an additional benefit in that your email can be accessed from multiple devices—meaning that if you lose your phone, you can still access your email from a different device and obtain the code.
- Voice call: This method lets users receive an OTP over the phone through a text-to-speech service. This is less commonly used but can be a more accessible authentication method for a wider variety of users.
- Hardware tokens: With this form of 2FA, employees are given a physical device, like a key fob, that dynamically generates codes for the users. These codes are then used to authenticate access to their accounts.
- Software tokens: The premise behind software tokens is similar to that of hardware tokens—the main difference being that with software tokens, users do not have to carry an extra device around. Instead, they need to install an application that generates codes onto their phone or computer.
- Push notifications: There are some apps that users can download that will create push notifications—similar to the news or calendar alerts that you usually get on your phone—that ask you to verify login attempts as a second form of authentication.
- Biometric measures: This is a verification process that involves the user proving their identity through an inherence factor like their fingerprint, face, or voice.
What are the benefits of two-factor authentication?
There are many benefits of two-factor authentication, the main one being that it increases security and reduces risk of a data breach or theft by making it harder for cybercriminals to access accounts. Passwords can easily be compromised. With 2FA, a business’s data can remain secure even in the face of such a compromise.
In short, 2FA helps reduce the risk of a cyber incident by strengthening login security, making it more difficult for hackers to access accounts. It also provides better protection for risky access methods like remote access, which is inherently more dangerous since the network or system then needs to be exposed over the internet. 2FA can also simply make users feel more secure, which can increase customer satisfaction for MSPs.
How secure is two-factor authentication?
The truth is passwords alone are not the best way to secure an account. While the latest password guidelines are helping users create more powerful passwords, the majority of passwords continue to be easily hackable, especially with the aid of technology. 2FA is much more secure than a password alone because while it is possible for a bad actor to have access to a user’s login credentials, it’s unlikely they also have access to the device receiving an OTP or that they are able to replicate biological features. Without that secondary form of authentication, their access will be blocked and a user’s data will remain safe.
Obviously, there is no way to guarantee complete security. However, the more steps that a hacker needs to go through to gain access to an account, the less likely it is that they will successfully break through. Thus, 2FA can significantly increase security as compared to single-factor authentication.
Two-factor authentication and MSPs
Password security and compliance is a major point of potential revenue for MSPs, given it’s something that nearly all businesses struggle with. MSPs build their businesses around reducing risk for their customers, which means that strong authentication measures are no longer just a luxury—they are a necessity. The truth is that, as an MSP, your offering is not complete without 2FA. Without enabling and encouraging 2FA or multi-factor authentication for your customers, you may not be able to compete in the modern landscape.
Beyond simply being a necessity, 2FA has some concrete benefits for MSPs, including the possibility of increasing profits. Remediating security incidents is a costly endeavor. With 2FA, businesses are better protected against such incidents, which can lead to reduced costs. Fewer security concerns also lead to fewer help desk tickets, which saves technicians time and can help make an MSP more operationally efficient.
For MSPs that want to offer their customers the best possible password and cybersecurity measures, it’s important to have a password manager that is built with security in mind. Password managers are designed to make accessing credentials as convenient and as secure as possible both for MSPs and their customers. Password and documentation management tools like SolarWinds® Passportal™ help MSPs strengthen the first step of 2FA and better secure accounts. The Passportal tool, which is designed specially for MSPs, makes it easy to store, manage, and retrieve passwords to increase customer satisfaction and help reduce the chances of a security incident.