Youโ€™ve likely heard a thingโ€”or two (ba dum tss!)โ€”about two-factor authentication, or 2FA. After all, itโ€™s become a bit of a hot topic recently as the nature and number of security breaches has evolved.

Compromised user data regularly surfaces on the dark web, giving malicious actors access to your password(s) for a couple bucks. Thatโ€™s why passwords just donโ€™t cut it as your only security effort anymoreโ€”and thatโ€™s where 2FA comes in.

What is 2FA and why is it important?

Simply put, 2FA requires a user to identify themselves in two waysโ€”or using two different methodsโ€”before allowing them to access an account or a specific resource.

Adding a second factor makes it far more difficult for anyone who only has a password to actually access your account. Typically, the second factor is something thatโ€™s a challenge to reproduce and compromise, and itโ€™s not usually part of the data thatโ€™s been breached.

What are the different โ€œfactorsโ€ in 2FA?

The most common 2FA factors can be categorized in three easy-to-remember ways:

  • Something you know. This is the one weโ€™re most familiar with. Itโ€™s a password, a PIN, your motherโ€™s maiden name, the name of your first pet. The possibilities for this category are pretty much endless.
  • Something you have. We also see this one a lot. This factor can be something physical, like a USB key with specific keys on it, or it can be something digital, like a time-based one-time password or codeโ€”think Google Authenticator.
  • Something you are. Weโ€™re starting to see this factor more and more, especially with the rise of biometrics. It’s what makes you unique, and itโ€™s something you definitely shouldnโ€™t share with someone elseโ€”itโ€™s a fingerprint, your voice, or even your face.

Itโ€™s important to note that in order for a combination of factors to qualify as true 2FA, the factors have to come from two separate categories. When thinking about 2FA, the combo of a password and a security question likely comes to mind. But it isnโ€™t actually 2FA, since thereโ€™s only one โ€œfactor,โ€ and itโ€™s something you know.

It’s not just a computer thing either. Think about your credit card. Itโ€™s something you have (the card itself), and itโ€™s something you know (now, your PINโ€ฆ previously, your signature).

Or think about your entry card into the office. I have an RFID tag that allows me into my office, and in some environments the RFID tag is not enoughโ€”you still have to enter a PIN into a keypad to gain entry as a second factor.

What are the different types of 2FA?

So what does qualify as 2FA? If your 2FA process combines what you know and have, know and are, or have and are, it likely counts. Letโ€™s take a look at some common combos:

  • A password and token. This is the 2FA type weโ€™re most used to. In the past, we saw hard tokens such as RSAโ€™s SecurID, but now we typically see a โ€œsoftโ€ token such as a TOTP (time-based one time password) six-digit code on a phone.
  • A password and mobile push. Under this type of 2FA, an event is โ€œpushedโ€ to a mobile phone (or a smartwatch) after a user enters in a password. This allows the user to simply acknowledge that they have their phone, verify itโ€™s them, and save them from having to put in any codes. We have phones on us 24/7, so why not use them?
  • A password and biometric. My MacBook allows me to use my fingerprint to log in instead of a password. This isnโ€™t 2FA. But, if I needed both my password and the fingerprint, Iโ€™d have 2FA with โ€œsomething I knowโ€ and โ€œsomething I am.โ€
  • A biometric and connected token. You may have noticed a theme throughout this list, but sometimes 2FA doesnโ€™t even require a password. Weโ€™re most familiar with the โ€œsomething you know,โ€ but you could easily build two-factor authentication with โ€œsomething you haveโ€ like a USB key and โ€œsomething you areโ€ like a fingerprint.

If your 2FA process uses two separate factors, it only needs to check one more box to be considered โ€œgoodโ€: It needs to be simple! You donโ€™t want to inconvenience users with a complicated authentication process or disrupt the user experience. It has to be easy if you want adoption.

How can I set up 2FA?

Luckily you donโ€™t have to reinvent the wheel to set 2FA up for most of your clients or their employees. Most applications you use will support 2FA out of the boxโ€”business productivity platforms like Office 365 and G Suite include multiple 2FA options, as do most other cloud applications. If you have legacy on-premises applications, they may be less likely to support 2FA, but there are still lots that doโ€”just check your vendor documentation.

If youโ€™re an Auvik partner, enabling 2FA is easy. And make sure you do it soonโ€”mandatory 2FA in Auvik takes effect Mar 21, 2020.

Leave a Reply

Your email address will not be published. Required fields are marked *