“‘Just a password’ has to change”
Two-Factor Authentication (2FA) is one of the most widely recommended steps any enterprise can roll out to boost its security. As the NCSC puts it: “It buys a lot of additional security for relatively little pain.”
2FA, or Multi-Factor Authentication (MFA) is a security layer that simply demands another bit of evidence from users in addition to their password. This means attackers with a stolen password can’t access online service.
Making the belated step myself I recently set up 2FA on my Gmail and Twitter accounts, writes Computer Business Review’s Conor Reynolds. It was surprising how simple it was and how little I think about it now: Here’s what I learned.
Setting Up 2FA
Both platforms simply ask you to associate a smart device with the account, in both cases I used my mobile phone, the process took less than five minutes.
Google users may be familiar with an email that is sent out every time you log into your account from a different computer. The notification says that they have detected someone using your account on a new device, along with details about that device. That email states tells users that “if this is you” to take no action.
What if that isn’t you? What if it’s a malicious login? The ship has sailed…
With 2FA enabled every time I login from a new device an alert/request is sent to my phone that requires me to confirm that, yes I am trying to login into my account, if I don’t, I can’t get in. It’s a simple one-button-push to confirm.
What if I Lose My Phone?
“What”, the obvious question most will ask, “happens if I lose my phone? Am I locked out of my emails?” For many, user experience considerations like this and the fear of a phone theft or loss being compounded by the inability to do work are a major turn-off. They don’t need to be. For both Google and Twitter you can set a back-up device. (A partner’s phone; your second phone; IT’s phone…)
Not keen on that idea? Google lets you print out 10 one-time passwords in old-fashioned paper, to keep in a safe. In the enterprise world more and more firms are reaching out for this peace of mind 2FA. It’s not always so straightforward
2FA In the Work Place
The 2FA process described above is simple, but that doesn’t mean that all 2FA roll outs will be. Workers will push back against the implementation of new security measures that appear to complicated simple tasks.
While Google and Twitter use a simple mobile confirmation, some firms may request that their employees use tokens or embedded cryptographic keys as part of their 2FA security. As Cesar Cerrudo, CTO at IOActive told Computer Business Review : “You’re essentially relying on users to engage with the second level of security, whether that be fingerprints, eye-scanning or a text message and in most cases; unless you force 2FA upon employees as a requirement, they’re unlikely to bother.”
“This is why it’s so important to work out where 2FA is most appropriate and to generate buy-in to the process.”
One of the more secure ways for an enterprise to roll out 2FA technology is through the use of hard tokens such as one-time code generators. The code generator can be an application or a specific device that generates one time passwords. These single use passwords help to eliminate the threat of an attacker learning a static password that can be used in a reply or brute force attack.
However, while more secure than most forms of 2FA, humans are still a component in the security system and we are prone to losing or misplacing things.
Stuart Sharp, VP of solution engineering at OneLogin notes that: “People often forget or misplace these tokens and can cause a lot of friction for the user – and not to mention the IT department – when trying to log into enterprise applications, only to find they don’t have the means to do so.
“For this, many organisations choose to use soft tokens, such as mobile authentication apps, which are less likely to be misplaced.”
Deploying at Scale
For enterprises, there is no shortage of partners that can help deploy MFA at scale across the enterprise, e.g. for Office 365. Many of these also offer offline mechanisms for 2FA, so if a worker is on a flight or lacking Wi-Fi they can still login securely.
For those not wanting to invest in third-party support, Tenant Admins can also fairly easily setup 2FA for your Office 365 tenant.
The trick to smooth deployment across the enterprise, experts agree, is clear communication ahead of the roll-out: perhaps through sharing a simple cheat sheet. (When you enable MFA for a user they get a note that additional security measures are required at the next login: they need to be crystal clear about what is required. Starting with a small pilot group for those unfamiliar with change may be best).
Others may look to single sign-on options like those from Okta, or Ping Identity, which support a a wide variety of MFA options for thousands of cloud, on-premise, mobile, and custom applications, from G Suite to Outlook and far beyond.
Don’t Let Perfect be the Enemy of Good
Not all forms of 2FA are equally secure: for instance a common method currently used is for the first authentication step to be a password while the second is a code delivered via a SMS message to the employees phone.
Yet often the authorisation process for replacing a SIM card is not as strict as we would like it to be. Hackers have also been known to simply copy a SIM card so they can intercept calls and messages.
Steven Murdoch, Chief Security Architect at OneSpan’s Cambridge Innovation Centre warned us that: “By adopting SMS 2FA companies are effectively outsourcing their security to phone companies who don’t consider it their business to act as a secure authentication service.”
Also in one of those strange human nature quirks setting up a 2FA can actually lead to weaker passwords as employees begin to rely on the second step and adjust by simplifying their passwords for accounts. Thus when a hacker does find a way passed the second step the password is easier to break.
As a comparatively simple option to upgrade your business’s security, it is a first step that all companies should be taking. As the NCSC notes: “Yes, a password is easy to steal or guess, and yes, the second factor can also be quite easy to steal.
“But stealing a matching pair is much much more difficult than just stealing just a password, and ‘just a password’ is where we are right now.
“This needs to change.”