It’s no secret that the cybersecurity landscape is getting scarier every day. Ransomware is spreading like wildfire and cybercriminals are getting better at their job – and make no mistake, cyber-crime is an industry. According to some experts, “If you haven’t been hacked yet, the chances are even greater in 2017.”
It is easy to understand why security experts and business owners are scrambling to come up with ways of making it harder for unauthorized users to enter their network. One of the best methods for controlling access has actually been around for a few years: Multi-Factor Authentication.
What is Multi-Factor Authentication?Authentication in the data security world is a method of proving you are who you say you are and can take several forms:
- Something you know (a password or PIN code)
- Something you have (an RSA token or smart card)
- Something you are (a fingerprint or retinal scanner)
Multi-factor authentication is simply using more than one of these methods for access.
Remember Tom Cruise breaking into the vault in Mission Impossible? It was protected with multi-factor authentication: voice Identification system (something you are), a six-digit access code (something you know), retinal scan (something you are) and two electronic key cards (something you have). In this example, each layer of security forced the user to prove who they were before allowing them to proceed to the next level of access.
Multi-factor authentication can be turned on at the device level and at the software/app level. At a minimum, we recommend turning on multi-factor authentication on every employees’ computer log in and for any programs containing sensitive data (like accounting software, line-of-business applications with customer data and email).
Why should you be using it?
Cyber criminals are targeting small and mid-size businesses. They know smaller companies typically don’t have as many resources dedicated to security as enterprises, making smaller organizations easy targets. As a business owner, controlling access is paramount and multi-factor authentication gives you an added layer of security around your access.
Multi-factor authentication’s biggest selling point is exactly what makes it so secure: multiple requirements for access make it extremely difficult for hackers to break into your account. If a hacker does get their hands on your password, they still won’t be able to get into your account without the keycode. Or if they swipe your smartcard, but don’t have the password, they still aren’t getting in.
How to Get It
Applications like Authy and LastPass use your phone as a soft token key generator that acts as your “something you have” to go along with your regular password for the application or program as your “something you know.” Some of these applications can even be integrated with your phone’s fingerprint reader to add an extra level of security with the “something you are” factor.
If you’re an Office 365 user, you already have access to free multi-factor authentication. Companies with compliance requirements may need a more robust option like Azure Multi-Factor Authentication. It can be deployed on-premise or in the cloud and integrates with VPN, Web applications, Remote Desktop, as well as Office 365 to greatly increase security on these systems.
Unfortunately, one of the biggest downsides to multi-factor authentication is integrations – not every application can support it. Talk to your IT company about configuring it to ensure it’s set up correctly and everyone in your organization who needs it will be covered.
At PTG, when implementing multi-factor authentication for customers, we start with a week-long pilot with key employees. This allows up to make sure everything is implemented correctly and allows you to see how it will function within your company.
Multi-Factor Authentication vs Two-Step Verification
Two-step verification is a login process similar to multi-factor authentication – so similar, that they’re often confused. In a two-step verification system, you use your password and a temporary passcode to log in. The passcode is usually sent to your phone via text or call.
The only authentication factor is your password, the code that was texted to you only acts as further verification that you previously set up. Yes, the phone is still something that you have, but as the phone itself is not the key you use to get through this level of access, the code is just a secondary password and therefore not an additional authentication factor.
A lot of websites, like Google and Facebook, use two-step verification as extra security for your logins. It’s a good idea to turn these on, too. Even if these accounts don’t hold customer information, they typically do contain information that can be against you (like the answers to common password reset security questions).
In data security, there is no one silver bullet to make everything completely secure and no 100% guarantee you’ll never get hacked. But that doesn’t mean you shouldn’t try to get as close as you can. The cost of adding additional security measures out far outweigh the cost of a data breach – not to mention the pain and anguish of wishing you had implemented the changes and additional security later.