The internet had barely celebrated its first birthday before criminals were finding ways to exploit it. For anyone with the technical skills to do so (and an equivalent lack of scruples), a foray into cyber criminality meant easy money. And so as web-use became our daily norm, cybercrime predictably followed.
What once began as a cottage industry for basement-bedroom hackers has since developed into a sophisticated, multi-trillion (yes, that’s trillion with a “T”) dollar scourge on the world’s economy. So loudly has the cybercrime industry boomed that Wired Magazine once wondered, with its tongue planted firmly in cheek: “Cybercrime: The Next Entrepreneurial Growth Business?” Sadly, Wired, you weren’t far off the mark.
Since that article was posted five years ago, thieves and scammers have only gotten better at what they do. For businesses small and large, staying one step ahead of the thugs of the “malspace” presents a formidable challenge. How do you protect your accounts when a simple username and password can now be cracked as easily as a roast chestnut on Christmas morning?
The answer, cutting-edge as you might think it is, has actually been around since the dark ages of Geocities and AOL discs-as-coasters: Two-Factor Authentication.
2FA, as it’s known in short, is just about everywhere now. In fact, you’ve all but certainly bumped into it yourself while logging onto Facebook, Gmail, or when attempting to do some online banking. The concept is beautifully simple: two layers of security are better than one. With an extra layer of security — its entry point in the physical space — hacking into your account becomes that much more difficult without access to your person.
The elegance of two-factor authentication lies in its components. The first is something you know: your password. The second is something you have: your phone. Prior to your password being fully validated, a short numeric code — typically 4-8 digits in length, and known as a “verification code” or “one-time password (OTP) — is sent to your device. This number is then keyed in alongside your user password, thus providing confirmation that “yup, cool beans, you are in fact actually you.”
While popular among consumer websites, it’s only in the past couple of years that two-factor authentication has grabbed the lapels of the business world. Any of the OTP authentication methods often seen on consumer sites could easily be rolled out to a company setting, but not all of them are created equal, and each isn’t an entirely bulletproof security measure.
The one-time password options available include SMS (the most popular method; who hasn’t received a code by text?), email, and a voice call. Each of these methods requires access to a phone and signal of some kind. Should your phone be dead, lost, or stolen, these three OTP authentication methods might make recovering your account difficult (or potentially impossible). What’s more, phone calls, texts, and emails can all be rerouted or intercepted by savvy hackers, which still leaves you vulnerable despite your business utilizing 2FA.
A far more preferred (and recommended) 2FA method is the “authenticator app.” When you log into a service, such as Gmail, you’re usually asked if you would like to set up 2FA, with an option to have tokens delivered via an authenticator app. If you choose this route, the service will generate a QR code, which you scan through the app, thus linking it to the service in question. Now you’ll be able to use your phone to generate tokens (or codes; they’re generally interchangeable), which you may then input when logging in — just like you would for an SMS-based OTP. Depending on the app, this could be generated on the spot, or auto-generated at some interval (usually every 30 seconds). The latter is how Google Authenticator does it. If you open the app, you’ll see a list of all the services you’re using it for, each with a unique temporary code.
Though Google Authenticator is the industry leader, there are other token-based 2FA apps out there, like Microsoft Authenticator and Authy. Then there’s Duo Mobile, which uses push authentication to verify your login. Instead of generating a code that you must then type in elsewhere, you get a screen-pop of: YES | NO. Included are the service you’re trying to log into (your JNT TEK Client Portal), the user’s name (Walter Chroncat) , the location of the attempted login (Goobertown, AR), and the time and day — all to essentially ask, “is this you?”
But perhaps the most secure method of 2FA is something called FIDO U2F, a relatively new leap forward in authentication tech. U2F takes the form of a physical security key, often a small USB fob that you keep with your car keys, then plug into your computer to “unlock” it. Because there’s no code to type in, and the U2F key talks directly to the website you’re attempting to access, the technology is actually phishing proof — a huge advantage over other forms of 2FA.
So strong is the access control of FIDO U2F that industry leader YubiKey is used by organizations as diverse as Google, The University of Auckland, and the Turkish government. Even Duo (mentioned above), itself a trusted provider of application-based 2FA, champions the easy employment and hardware-backed protection of YubiKeys. [As an aside, the writer of this article was herself once issued a YubiKey at a Fortune 500 company, and can confirm its ease of use as an addition to an employee’s login routine. There’s nothing quite like plugging a USB fob into a computer with your car keys still attached.]
What’s brilliant about 2FA and U2F is that they’re stackable. Both a USB fob and an authenticator app may be used in conjunction, albeit while accessing different areas within your system. This allows small and large businesses alike to establish high levels of security impenetrable by even the most determined hackers.
Hey, it works for Google.
Contact JNT TEK today for more recommendations on how to implement Two-Factor Authentication for your business.