Passwords were never enough for strong security, even in a non-digital era. Ali Baba overheard "Open sesame!" and was able to steal a cave's worth of treasure. The Heartbleed bug announced last year put even encrypted passwords at risk. This year, Anthem reported a security breach caused by stolen passwords. Protecting your intellectual property and your customers' personal information has never been more challenging or more important than in today's information security environment, where risks abound and companies must maintain constant vigilance.
Two-factor authentication is a critical security enhancement most companies should be investigating if not already implemented. Because passwords alone don’t prove the user should have access to the system, this method adds a second means of authentication to the login process.
Two-factor authentication requires the user to both know something (the password), and to either have something (like a one-time key or token sent to a specific device) or to be someone (through matching fingerprints). Vulnerabilities like Heartbleed or theft of credentials through phishing only gets a hacker the password; they don't have the second element of the two-factor login process, and so can't gain access.
Ask Questions Before Implementing Two-Factor Authentication
There's no question two-factor authentication will add another layer of security to company networks. Before implementing it however, companies need to ask the right questions to make sure they get the benefits without spending more than necessary.
Ask yourself which systems really need two-factor authentication. Not all systems are equally vulnerable to hacking attempts, and not all systems contain equally sensitive information. The risk of unauthorized access to some applications and databases may be too low to merit a high level of security.
It's also important to think through the ways two-factor authentication can be implemented. First, realize that the security questions commonly used to retrieve lost passwords do not provide two-factor authentication. They are still just something the user knows, and at best are a second password.
Generating a unique token is often done by sending a one-time code to the user's cellphone. Tokens can also be generated through smartcard devices, though users often find it inconvenient to have to carry an additional device. It's also possible to block unauthorized computers, as well as unauthorized users, through use of digital certificates.
Make a Plan
The costs of a security breach can be significant, as the breach at Anthem may cost the company $100 million or more. Keeping malicious entities out requires more than just a firewall, and with today's technology, that means layered controls such as two-factor authentication.
Discuss your cyber security strategy with your information security team or a third-party security and compliance firm. Garland Heart offers a comprehensive security review that can help you determine the best way to use two-factor authentication and other modern cyber security tools to safeguard your systems.