Youโve likely heard a thingโor two (ba dum tss!)โabout two-factor authentication, or 2FA. After all, itโs become a bit of a hot topic recently as the nature and number of security breaches has evolved.
Compromised user data regularly surfaces on the dark web, giving malicious actors access to your password(s) for a couple bucks. Thatโs why passwords just donโt cut it as your only security effort anymoreโand thatโs where 2FA comes in.
What is 2FA and why is it important?
Simply put, 2FA requires a user to identify themselves in two waysโor using two different methodsโbefore allowing them to access an account or a specific resource.
Adding a second factor makes it far more difficult for anyone who only has a password to actually access your account. Typically, the second factor is something thatโs a challenge to reproduce and compromise, and itโs not usually part of the data thatโs been breached.
What are the different โfactorsโ in 2FA?
The most common 2FA factors can be categorized in three easy-to-remember ways:
- Something you know. This is the one weโre most familiar with. Itโs a password, a PIN, your motherโs maiden name, the name of your first pet. The possibilities for this category are pretty much endless.
- Something you have. We also see this one a lot. This factor can be something physical, like a USB key with specific keys on it, or it can be something digital, like a time-based one-time password or codeโthink Google Authenticator.
- Something you are. Weโre starting to see this factor more and more, especially with the rise of biometrics. It’s what makes you unique, and itโs something you definitely shouldnโt share with someone elseโitโs a fingerprint, your voice, or even your face.
Itโs important to note that in order for a combination of factors to qualify as true 2FA, the factors have to come from two separate categories. When thinking about 2FA, the combo of a password and a security question likely comes to mind. But it isnโt actually 2FA, since thereโs only one โfactor,โ and itโs something you know.
It’s not just a computer thing either. Think about your credit card. Itโs something you have (the card itself), and itโs something you know (now, your PINโฆ previously, your signature).
Or think about your entry card into the office. I have an RFID tag that allows me into my office, and in some environments the RFID tag is not enoughโyou still have to enter a PIN into a keypad to gain entry as a second factor.
What are the different types of 2FA?
So what does qualify as 2FA? If your 2FA process combines what you know and have, know and are, or have and are, it likely counts. Letโs take a look at some common combos:
- A password and token. This is the 2FA type weโre most used to. In the past, we saw hard tokens such as RSAโs SecurID, but now we typically see a โsoftโ token such as a TOTP (time-based one time password) six-digit code on a phone.
- A password and mobile push. Under this type of 2FA, an event is โpushedโ to a mobile phone (or a smartwatch) after a user enters in a password. This allows the user to simply acknowledge that they have their phone, verify itโs them, and save them from having to put in any codes. We have phones on us 24/7, so why not use them?
- A password and biometric. My MacBook allows me to use my fingerprint to log in instead of a password. This isnโt 2FA. But, if I needed both my password and the fingerprint, Iโd have 2FA with โsomething I knowโ and โsomething I am.โ
- A biometric and connected token. You may have noticed a theme throughout this list, but sometimes 2FA doesnโt even require a password. Weโre most familiar with the โsomething you know,โ but you could easily build two-factor authentication with โsomething you haveโ like a USB key and โsomething you areโ like a fingerprint.
If your 2FA process uses two separate factors, it only needs to check one more box to be considered โgoodโ: It needs to be simple! You donโt want to inconvenience users with a complicated authentication process or disrupt the user experience. It has to be easy if you want adoption.
How can I set up 2FA?
Luckily you donโt have to reinvent the wheel to set 2FA up for most of your clients or their employees. Most applications you use will support 2FA out of the boxโbusiness productivity platforms like Office 365 and G Suite include multiple 2FA options, as do most other cloud applications. If you have legacy on-premises applications, they may be less likely to support 2FA, but there are still lots that doโjust check your vendor documentation.
If youโre an Auvik partner, enabling 2FA is easy. And make sure you do it soonโmandatory 2FA in Auvik takes effect Mar 21, 2020.
Leave a Reply