Multi or Two-Factor Authentication (2FA) is an incredibly effective way to prevent cybercriminals from accessing your businessâ€™ systems, services or applications. Weâ€™re all accustomed to the standard username and password model, but 2FA requires users to present two or more different pieces of evidence when logging into their accounts.
These can be things like a username and password (something you know), authorisation through a multi-factor authentication application (something you have) or a fingerprint (something you are). In an everyday scenario, while PayPass has made it obsolete, except for withdrawing money, when making a purchase, you used to need a bank card (something you have) and a pin (something you know).
While there is some highly advanced new tech that can overcome 2FA, by requiring two factors for authentication, 2FA makes it much more difficult for cybercriminals to gain unauthorised access to sensitive data and systems, even if they have obtained the user’s password through a phishing attack or other means.
Other than 2FA software that your business can use on your network, like Windows Hello, oftentimes, third-party vendors also have an option for this service to be used. Make sure to go into settings to set this up or contact the vendor to ask how.
When should Multi-Factor Authentication be implemented?
As an SME, you may not think that you have valuable data or assets that are worth protecting. However, any business that collects customer data, such as names, addresses and credit card information, is at risk of a data breach. In addition, if your business has any proprietary information or trade secrets, such as manufacturing processes or customer lists, you could be at risk of industrial espionage. Even if you donâ€™t believe your data is worth protecting, the mere risk of a cyberattack interrupting your business operations is worth considering.
Some older, legacy systems may not support multi-factor authentication and even though it adds another step for employees and therefore, an added inconvenience, 2FA must be added to your businessâ€™ operations, even more so since itâ€™s one of the Essential Eight Cyber Security strategies. It becomes important when performing work-related activities like remote access solutions, users performing privileged actions and when staff access important data. As mentioned, it provides a way to securely authenticate the user. If the first form of defence is breached, like a PIN (personal identification number), password or passphrase, then the attacker is unable to progress further as they donâ€™t have the second.
Depending on what maturity level of Essential Eight your business is aiming for, how you implement two-factor authentication can differ.
At Maturity Level One, the authentication methods used must not be of the same class â€” something staff know, something they have or something they are â€” and one doesnâ€™t have to be a memorised secret. If youâ€™re only now implementing multi-factor authentication and need to be at a higher maturity level, it might be easier to simply use a higher form of 2FA as mentioned below.
At Maturity Level Two, the authentication methods that can be used, and in what combination, are restricted. Some acceptable multi-factor authentication implementations can include something users have (like a single-factor one-time PIN device or a single-factor cryptographic (a way of protecting information and communications through codes) software/device) or something staff have that is unlocked by something they know or are (multi-factor OTP device or multi-factor cryptographic software/device). Biometrics, like fingerprint or retina scanning, are not acceptable at this level. At this level, event logs for multi-factor authentication should also be collected and stored to help with incident response.
At Maturity Level Three, all staff accessing important data must be using multi-factor authentication. The types and combinations of 2FA are restricted, such as through cryptographically verifying what they are authenticating. Cybercriminals try to get around multi-factor authentication by stealing authentication requirements to impersonate staff, so organisations are to use multi-factor authentication solutions that are resistant to phishing, like security keys, smartcards or a Trusted Platform Module. Businesses are not to use push notifications or SMS codes as authentication methods as these are often used by adversaries.
How to Implement Two-Factor Authentication for SMEs
Implementing 2FA may sound complicated, but it is actually a straightforward process. Here are the steps you can take to implement 2FA for your SME:
- Choose a 2FA solution: There are many 2FA solutions available, including hardware tokens, mobile apps, and SMS-based solutions. Choose a solution that fits your budget and needs.
- Configure your 2FA solution: Once you have chosen a solution, you will need to configure it for your business. This typically involves setting up user accounts and configuring the authentication factors.
- Train your employees: It is important to train your employees on how to use the 2FA solution and why it is important. This will help ensure that they understand the process and are more likely to use it consistently.
- Test your 2FA solution: Before deploying 2FA to all users, it is important to test the solution to ensure that it is working correctly and does not cause any compatibility issues with your existing systems.
- Roll out 2FA to all users: Once you have tested the solution, you can roll it out to all users. This typically involves providing instructions on how to use the solution and ensuring that all users are using it correctly.
To test if these measures are working, try logging on to a system or software that has the authentication set up and see if the request for two or more authentication factors, such as a password or a one-time PIN, is shown. For high levels, watch as an employee that has administrative privileges authenticates to log into a system or software to see if they are required to use multi-factor authentication. Make sure to monitor the log-ins of multiple services, as, for example, a cloud service may have a different implementation of 2FA than an on-premise service. Also, for Level Three, ask staff members to send through lists of the important data repositories in the businessâ€™ network as well as screenshots of attempting to log in to these, including the multiple forms of authentication it should be requesting. Ensure event logs of multi-factor authentication are also protected and monitored for signs of compromise and modification.
If youâ€™re not aiming for Maturity Level Three, then select a multi-factor authentication solution that impedes less on user functionality. Make sure to also turn off and replace old and redundant authentication systems. If youâ€™re receiving pushback for 2FA methods, introduce policies or implement the authentication in stages across the company, starting with high-risk users. Also, have a support plan to handle failed logins and account lockouts.
Keep in mind though that Cyber Security should be a part of your businessâ€™ culture. Everyone must be on board with implementing security measures, as multi-factor authentication is just one of the eight strategies and businesses need to implement them all to a certain degree.
Types of Two-Factor Authentication
SMS Token: Sends the user a unique token, usually a 5â€“10-digit code, via text message after entering their username and password, and this pin is then entered to allow them access. While user-friendly and available to pretty much everyone, text messages can easily get intercepted by 3rd parties and this method relies on people having a charged phone.
Email Token: Similar to SMS Token, this method sends a 5â€“10 alpha-numeric token or asks you to click a link provided in the email. Once again, these are user-friendly, cheap to set up and maintain and offer both a link or token if one doesnâ€™t work. Sometimes, emails can go to spam or fail to be delivered and these can be intercepted by criminals.
Hardware Token: A user is given a physical device, such as a key fob, USB dongle or another device that generates a token for the staff member. These tokens are usually valid for only a short time. Hardware tokens donâ€™t require reception or internet connectivity and is reliable and secure. They can be a bit expensive to set up though, and can be misplaced and can be a bit user-unfriendly when having one for service. Examples include:
- Yubico YubiKey 5
- Kensington VeriMark USB
- Google Titan Security Key
Software Token: Where users download and install an application on their computer or device that generates tokens for the user. These are only available for short periods before changing. These are more user-friendly, updates when needed and can be customised with different features. Some can be expensive, though, and requires users to download and install software that might be compromised without knowledge. Two-Factor Authentication is available on most applications today for no additional cost and should be enforced across these applications. A firewall can also help by enforcing 2FA for remote connections. Examples of 2FA software include:
- Google Authenticator
- Microsoft Authenticator
- LastPass Authenticator
Phone Call: The employee receives a phone call once logged in, which provides them with the token. This method is both easy and inconvenient but is cheap and reliable due to requiring less bandwidth than data. Some negatives of this service are that phone calls can be intercepted or your voicemails can be hacked, and reception is required, as well as actually needing a phone.
Biometric Verification: Relies on the user being the token through fingerprints, retina scans and voice and facial recognition. Itâ€™s also user-friendly. This does, however, raise questions about the storage of biometric data and privacy concerns, and storage locations can be compromised. It also requires specific hardware, like cameras and scanners.
Implementing two-factor authentication is a simple and effective way to improve your SME’s Cyber Security posture. By requiring two authentication factors, 2FA makes it much more difficult for cybercriminals to gain unauthorised access to your sensitive data and systems.
If you have any questions or would like help implementing 2FA for your SME, please don’t hesitate to contact us. Our team of expert technicians specialising in Cyber Security can help you choose the right solution and ensure that it is configured correctly for your business.