Everything You Need to Know About Two-Factor Authentication–Why Passwords Don't Cut It
With over 40% of Americans working from home full-time, network security is of especially paramount importance. Two-factor (or multifactor) authentication is an essential piece of the security pie. Read on for valuable information and our trusted recommendations.
In this article, we will cover:
1. What two-factor authentication actually means
2. Why strong passwords alone aren’t enough
3. The mindset of “Zero-Trust Security”
5. Enabling two-factor authentication on Facebook
What is Two-Factor Authentication?
Two-factor authentication, a subset of multi-factor authentication, is a security feature that gives your accounts an additional layer of security. How does it work?
When you log in to an account with two-factor authentication, you will be given a code that confirms your identity.
Depending on the two-factor authentication platform, you can often choose to have the code emailed, texted, or given to you via phone call. The method verifies your identity by cross-referencing multiple factors. According to CNET, there are three main types of factors:
1. Knowledge (something you know)
2. Possession (something you have)
3. Inherence (something you are)
Sound confusing? All this really means is the system will ask you a question that a hacker won’t be able to answer.
By verifying your identity with two-factor authentication, you prevent hackers and fraudsters who figured out your password from gaining access to your data and accounts. With only a password, they will be unable to steal your valuable information. Your would-be hacker is sitting in his mother’s basement with Cheeto-stained fingers, surrounded by towers of empty Mountain Dew cans, complaining to himself that even though he expertly discovered your password, he still can’t access your account or information.
In short, two-factor authentication is a simple, hassle-free extra step for you, that will make a hacker’s job a living hell.
To maximize the security of your data and accounts, we recommend getting two-factor authentication on every platform that offers it.
Image courtesy of xkcd.com
Why Passwords Don’t Cut It
Password strength should not be neglected, of course. To thwart brute-force attacks, a password should have many characters (12 at the very least), a good mixture of upper- and lowercase letters, include numbers and, if possible, special characters as well.
Side note: you may be wondering how you can be expected to remember a very strong password. Try this technique: come up with a phrase that has great significance to you and turn it into an acronym, capital letters and numbers included.
For example: “My 9-year old son Billy wet his bed every single day for 3 months and now he sleeps on plastic sheets!”
Password: [M9-yosBwhbesdf3manhsops!].
Bingo! You have a password that’s easy to remember, yet hard to crack. Every time you look at your son, it will be impossible to forget your password.
When a hacker enters many, many password possibilities until they arrive at the correct one, that’s a brute-force attack.
Savvy hackers use bots and programs that can attempt brute-force solutions while they sleep—and weak passwords are the main culprit. If you lazily use all lowercase numbers in your password, that’s only 26 possible permutations for the program to try. That’s child’s play for an automated program. And no, putting the four digits of your birth year at the end does not a strong password make.
While stopping brute-force attacks is a good first step, it isn’t enough to prevent the new, more sophisticated data attacks.
Even very strong passwords can be easily cracked nowadays with modern hacking techniques. Two-factor authentication helps overcome this problem—even if the hacker uncovers your password, they won’t be able to access your account. The two-factor authentication notification will go to a device or account they don’t have access to, and they will be stopped in their tracks.
Zero-Trust Security
Let’s take a look at some stats, shall we?
According to an IBM report published this year, the average cost of a data breach in 2020 is $3.86 million. This figure includes loss of business, potential fines that must be paid, and time and effort spent rectifying the loss of data.
The same report indicates it takes 280 days, on average, to identify and contain a breach. That’s three quarters of a year, that you would love to spend marketing and selling products, developing your team and your market, and making a positive impact on the world—instead relegated to cleaning up the mess you made when you took a lax approach to data security.
Your business can’t afford such a high cost for such a preventable problem. It’s much more economical and sensible to install systems that protect your data ahead of time. Zero-Trust Security is one such system.
As attacks from hackers are becoming increasingly advanced, and as data security becomes more and more valuable in the modern age, many top organizations have embraced the Zero-Trust model of securing their information. Here’s what Zero-Trust Security entails:
1. Verify everything before granting access to your systems.
2. That’s it. Pretty simple, right?
Both Duo and Okta, which will be covered later in this article, embody and embrace zero-trust.
Secure Your Remote Teams with Duo
Duo, the security platform of Cisco, is the software we use at Datapath to protect our data and accounts. Many large organizations use Duo’s two-factor authentication to secure their data and applications, such as Facebook, Lyft, Eventbrite, University of Michigan, Threadless, and Etsy.
Some of these high-profile companies have given testimonials to the efficacy of Duo as part of their zero-trust data security models. If it worked for Toyota and Facebook, it’ll work for you. And Duo works for businesses of any size. We can help you get set up. Visit our Network Security page and get in touch with one of our techs to start shielding your team’s credentials and data before it’s too late.
Securing your workforce with Duo gives you one less thing to worry about, so you can focus on the things that matter to you in your business.
How to enable two-factor authentication on Facebook
No one wants to see another “I got hacked” post on Facebook. Protect your account (and protect your friends from annoying “I got hacked” announcements) by setting up two-factor authentication. Here are the steps you’ll need to take:
1. Click on “Settings and Privacy” in the upper right.
2. Click on “Settings”
3. Choose “Security and Login”
4. Scroll down to “Two-factor Authentication” and click “edit”
5. Choose your security method. You can choose between an authenticator app, like Duo, or a text message (SMS) option. An authentication app like Duo will generate verification codes for you, while the SMS option will send verification codes to your mobile device.
If you choose “text message”, click “continue” and then enter the code sent to your mobile device. You can still use the Authentican App option as a backup.
And voila! Your Facebook account is protected by two-factor authentication.
What happens if you neglect to set up multi-factor authentication on your Facebook account? A savvy hacker will be able to use your identity for all kinds of nefarious purposes. For example:
They could use your login information to access other, more precious accounts.* You might not think it’s a huge deal to have your Facebook account breached, especially if you only use it to share political memes or stalk your ex’s profile. But you’ll be singing a different tune when your banking information is compromised, or when you discover you have purchased 100,000 naira worth of groceries from a supermarket in Nigeria (don’t worry, that’s only about $300 USD).
They could use your login credentials to sign up on websites you’ve never heard of, and probably never want to. Don’t be surprised if you start seeing strange ads in your margins after your account is breached.
They could send malicious links with malware or spyware in private messages to people on your friends list. Your friends list, even the distant relatives you grudgingly follow, will likely fall into the crosshairs of phishing attacks as well. While your peers might smell a virus from miles away, the overly trusting folks on your friends list will click a nameless link without thinking and infect their machine. This is how viruses spread like wildfire. Don’t let your Great Aunt Irma get catfished!
*According to a 2018 survey by Google, over half of internet users reuse the same password for everything. That means if a hacker gets ahold of your Facebook password, they could try it on all the popular email websites and have a better than 50/50 shot of breaking into your email account. And since your primary email account is often synced with bank accounts, your Netflix account, and embarrassing diary entries, it only gets worse from there.
Image courtesy of xkcd.com
Over half of internet traffic these days is the work of bots, and that includes hackers. That means your workforce’s sensitive data is under attack all the time, around the clock, with very little effort spent by hackers.
There’s also a good chance Facebook will shut down your account once Facebook has detected a breach.
Since Facebook is the second most popular website in the world (after mydatapath.com), it’s more essential than ever to protect your Facebook account. Your privacy and information will thank you later.
How to enable two-factor authentication on LinkedIn
LinkedIn allows users to enable two-step verification in much the same way that Facebook does. You can use either an external authenticator app, like Duo, or use your phone number to receive an SMS when someone tries to log in to your account.
To enable two-step authentication from your computer:
1. Click on your profile picture at the top-right of your home page.
2. Click “Settings and Privacy” and then click the “Sign in & security” tab.
3. At the bottom of the page, you will see an option for “Two-step verification.” Click that, and then click “Turn on.”
To enable two-step authentication from your mobile device:
1. Tap your profile picture in the upper left, then tap the gear in the upper right.
2. Tap “Sign in & security” and then tap “Two-step authentication.”
3. Then tap the blue button that says “Set up.”
From there, you can set up your authenticator app, or continue with SMS setup and enter the 6-digit code sent to your phone.
Our Recommended two-factor authentication App—Okta
Okta is the software we use to make sure all our staff is protected and secured.
Okta describes itself as a “modern security solution” with an “identity driven approach.” They believe the typical security questions—“What’s your mother’s maiden name? What was your first pet’s name? What’s the airspeed velocity of an unladen swallow?”—are a thing of the past, and won’t keep your workforce safe from attacks.
Okta also embraces a “Zero-Trust” (there’s that magic word again) security model. In fact, Okta’s tagline is “Never trust, always verify.” This model is predicated on confirming and authenticating your identity in ways that a hacker won’t be able to.
Don’t get caught with your pants down. If you’re looking to implement two-factor authentication in your organization, Datapath can help. Reach out to us here to get your workforce protected with multi-factor authentication.
Ensuring Safety and Security as We Work from Home
Most of us are continuing to work from home for the foreseeable future (with the exception of our hard-working essential workers—we thank you for your service!) Because of that, we have double- and triple-checked that our workforce and our customers are using two-factor authentication wherever possible, have Duo and Okta installed and running on all locations—desktop, app, and cloud—and perhaps most importantly, our team of I.T. professionals are providing extended support, answering questions, and offering valuable security insights on demand.
Data security really comes down to peace of mind. It’s one less thing to worry about, for your workforce and for you. When you don’t have to fret about breaking the bank to fix data breaches or exposing your precious data to unwelcome visitors, you can simply focus on the things that are important for you and your business. You can get back to the things that excite you about your job, and the positive impact you’re making on the lives of your customers and your employees.
First things first, secure your data, and make sure your entire team is secure, then you can move on to the work, worry-free.