We are all used to signing in to our various online accounts using our trusty password. We are trained to choose and handle passwords securely as they are the key that protects our online data and services from prying eyes and malicious access. We also know how hard this can be for everyday users who cannot keep up with changing their password regularly and keeping track of different password on different sites.
In short, the old password system is failing and the proof lies in in the sheer number of hacking events that are being reported.
Something You Know (Factor 1)
A password based security system relies on a short piece of text that is known only to the owner of the account and supplied every time to prove your identity when signing in. Just like a key, anybody who knows this single piece of information gains access to the system and data. For this reason, passwords are referred to as “something you know”.
Whilst passwords work fine to let you sign in, the system is vulnerable to password theft. Just like keys, hackers will try to steal your password in order to impersonate you and take over your online account and identity. Here are some of the most common password theft techniques:
Spyware
Spyware software may be installed on your device without your knowledge. These stealth applications will run without your knowledge to capture and steal passwords (and other data) as you type them.
Phishing Sites
These are Internet sites that pose as trustworthy organisations (such as a social media portal) and request your security details. Unaware that these sites are illegitimate, users will happily type in their passwords which are promptly stolen and maliciously used.
Email Requests
A simple and yet surprisingly common password theft technique is a simple email request to a user. Passwords and other sensitive information should never be given out by email, even if requested by a seemingly legitimate party.
Something You Have (Factor 2)
Two Factor Authentication (2FA) works to improve security by adding a second layer above your password. This second factor relies on "something that you have", such as your mobile phone or a smart token. This new security layer dramatically improves your account security since password theft is no longer a threat. Malicious users must now gain access to your device as well as your password to take over your account. This is obviously much harder and improbable.
STEP 1: A simple 2FA system will start by requesting the user password (something you know).
STEP 2: Once the password is verified and the user account is located, a short one-time code is automatically sent out as and SMS text message to the mobile registered to the user (something you have).
The user receives the short code and types it into the login page on the Internet. Authentication is complete when both the password and the mobile code are verified. Mobile short codes can only be used once and have a short lifetime such that they cannot be stolen to be used on your account later on.
Make It Secure But Also Easy
Implementing and using a 2FA system for your online system will make your data and online apps much more secure. This becomes more and more important with sensitive or personal data stored online. 2FA will also boost customer confidence as it reassures customers of the level of security adopted to protect their data within your organisation.
On the other hand, 2FA must be implemented in such a way to cause the minimum amount of added hassle and complexity to users. Already frustrated with traditional passwords (remembering and changing password can be a handful for most people), they are likely to find any added security system to be a further hurdle. A well designed 2FA system will make use of multiple (hybrid) techniques to make the process easy and (largely) invisible to every day users. For example, 2FA may be only required upon the first sign-in from a device and not each time since some users may need to sign in several times a day.
2FA is here
Google was among the very first Internet companies to introduce 2FA for its customers. The Google process makes use of a user password combined with either an SMS text short code or the use of an Android mobile app (Google Authenticator). Many more online companies are moving to offer 2FA to its customers. These include Amazon, eBay, Apple and PayPal. Most of these companies chose to provide 2FA as the recommended security system (although optional).
Getting Started
Businesses should be seriously considering adopting 2FA as their recommended online security measure, together with SSL encryption and other standard techniques to ensure their customers’ data and facilities are protected and as safe as possible. Depending on your industry, the data you hold may be sensitive (banking, insurance, ecommerce...) and the success of your online business may really depend on the confidence you instill in your customers.
As a customer and a user of online services, you should seek to use 2FA wherever available. We all hear of people who had their online accounts hacked and stolen and it is no fun!
Webcraft
Webcraft develops and delivers online digital solutions from small websites to complete eBusiness packages including 2FA security. Speak to us to learn more how your business could benefit.