Weak passwords are a huge problem, one that almost everyone is guilty of. Even if you think of yourself as being a diligent, security-minded person, you probably have at least one or two passwords that are common words, followed by a digit or two, followed by an exclamation point.
I’d be willing to bet that the digits in your password represent either your birthday, your anniversary, or your favorite football player’s jersey. With a little time, anyone could gain access to your account. That’s where two-factor authentication comes in.
But let’s not put you on the spot. What about your employees? What about the other people within your organization who deal with sensitive data every single day? Are they all using secure passwords?
Are employees reusing passwords across multiple accounts? That’s just as bad. If they are using the same password on Facebook as they are for their work email, if Facebook gets compromised (like it did in 2019), cybercriminals also have access to that email account.
As of right now, there’s no way to control whether or not your employees are practicing good cybersecurity hygiene outside of your business. There’s no way to prevent an employee from using the same password at work as they do elsewhere.
We’ve discussed 2-Factor Authentication (2FA) before on this blog. Just a quick recap: 2FA is an extra step in the login process that requires you to prove that you are who you say you are, beyond just a password.
Most commonly, 2FA can be set up to send an email or an SMS text to the address/phone number on the account. That message will have a small code in it, which the user will need to provide to finish logging in.
It’s become extremely commonplace, especially amongst websites and online accounts that deal with a lot of personal information and sensitive financial information. Online banking, social media sites, and many online stores have all implemented 2FA, it’s just up to you to enable it and use it.
2FA can also be set up on your local network to log users in to their computers, or across your line of business applications. This is especially important these days, as many businesses have shifted these applications to the cloud or at least have allowed remote access—requiring more than a password does a lot to harden the security of your sensitive information.
Here’s where we run into another problem. If you’ve set your 2FA up to go to your email, you are then relying on your email to never be compromised in order to protect some other account. While using email for your 2FA is better than nothing, it’s not perfect. The most common cybersecurity threats these days affect email.
What about SMS text messages? As it turns out, that’s a little safer than email, but not by much. Here’s why:
2FA doesn’t do much for you if it can be intercepted. The whole point of 2FA is to prove, without a doubt, that you are the one allowed into the account.
2FA applications are just as easy to use, and much more secure, as they don’t rely on SMS messages or emails to give you your temporary code. Instead, the app holds all of your accounts that you’ve set up with 2FA, and when you need a code, you tap on the app, tap the account, and you are given a code.
Some authentication apps even let you verify without needing the code, giving you 1-tap access into the account. It’s simple, yet it’s much more secure.
We’ll get into what your options are for the various authentication apps, but first we wanted to show you how easy it is to set up a new account on one:
It’s worth noting that some services don’t support 2FA, and not all services that support 2FA will work with a 2FA app. Some services, for some reason, use their own authentication app. Depending on the sites you have accounts on and the businesses you work with, you might end up having more than one 2FA app on your phone for different situations. That’s okay, but hopefully in the future more online services will start to standardize so we don’t need to keep track of more than one app.
Apart from the services that only allow you to use their own proprietary authentication app, there are a lot of 2FA apps on the market that you could use. If you are deploying one for personal use, most of these will be a great fit. However, if you are trying to decide on how to set up 2-Factor Authentication for your business and you want to standardize, we highly recommend you reach out to someone at Computerware to sit down with you and review the options to choose the right solution that works best for you.
Here are some of the options a user has to protect their online accounts.
Google Authenticator - Google Authenticator is one of the easier apps to use. It’s a little limited as far as features go, but it’s secure, provided that you keep your Google account secure. Google Authenticator is available on iOS and Android.
Microsoft Authenticator - Microsoft’s Authenticator is like Google’s, as it’s easy to use. It has a few additional features, especially when it comes to signing into services under the Microsoft ecosystem, like Office 365 and Outlook. One other feature we like about Microsoft Authenticator is that it allows you to hide codes, requiring you to only display the code by tapping it. Microsoft Authenticator is available on iOS and Android.
Duo Mobile - Duo Mobile isn’t much different than Google or Microsoft’s option. It does allow you to hide codes like Microsoft’s authenticator. In fact, it hides codes by default, which is nice. Duo Mobile is available on both Android and iOS.
FreeOTP - Don’t let the word “free” get you excited—all the apps mentioned so far are free. FreeOTP is the smallest authenticator in the list as of right now, so if you are running a much older phone and storage is an issue, this might be a good choice. The other apps aren’t huge by any means—they clock in at roughly the same amount of storage space as a handful of photos. To compare though, this authenticator takes up less than a megabyte of storage, which is slightly less than a typical smartphone camera photo. Otherwise, this app has essentially the same features as Duo and Microsoft’s authenticators, minus Microsoft being better connected with other Microsoft software. FreeOPT is available on Android and iOS.
Authy - Authy is where things start to get fancy. First, Authy is available on more platforms than just smartphones. You can run it on Android and iOS like the others, but it also has a Windows and macOS application, and a Chrome extension. Authy stores your codes in the cloud, meaning you can easily switch devices and sync your codes over without re-authenticating everything. That said, Authy is only going to be as secure as you allow it to be… using a weak password will put you right back at risk again. One other thing we like about Authy is that it can be set up to require a PIN number or fingerprint to unlock your codes on your phone.
Yandex Key - Like Authy, Yandex can be locked with a PIN code or fingerprint. It also lets you store a backup of your codes in the cloud in case you want to move it to a new device. Its interface isn’t as user friendly, especially if you have a lot of codes to generate, but it’s otherwise simple to use. Yandex Key is only available for iOS and Android.
We want to touch on this, because 2FA authentication apps might not fit all businesses. Think of hardware authenticators like a key to a combination safe. You still need to know the combination (AKA the password), but you also need the physical key in order to get in. Again, it’s two types of authentication.
FIDO U2F tokens (despite having the least catchy name of any modern-day technology) work like keys. You simply connect the U2F token to the device you want to log into, type in your password, and it lets you in. If the user doesn’t have their U2F token, they can’t get in.
These tokens are nothing more than simple USB sticks, like the USB thumb drives used to take files on the go. Employees can fit them on a key ring or on their ID badge. There are also near-field-communication (NFC) cards that work with compatible devices like smartphones, tablets, and smart door locks.
There are limits to what hardware authenticators can do, but for some businesses, it might be the best way to ensure security; especially when security comes down to each individual employee.
Need help determining which solution would work best for your organization? Give Computerware a call today at (703) 821-8200. We’re here to help!