Why you need Two-Factor Authentication (2FA)
Back in the 1990’s, one of the most-watched programmes was “The X-Files”. Week after week we would watch FBI Agents Mulder and Scully tackle things that should not be. I remember one episode where Mulder has gone missing and Scully is trying to crack his password on his laptop which she eventually does by using “Trustno1”, which at the time I thought was the cleverest password I’d ever seen. It’s also been featured quite prominently in the worst password lists, which are a perennial IT favourite for the end of the year.
Password Management for users is a problem for IT support departments. Make things too complicated and you get pushback from everyone (up to and including senior management) or make them too lax and you invite the account to be compromised and potentially create a security risk. Windows Server does give various options for management within a domain:
- Enforced password change (so users have to change after a set period of time).
- Password History (so you can’t use the same password more than once).
- Usage of special characters (such as !, $, %, ^, etc as part of the password).
What seems to happen is that users then use the same password and then just tag a 1, 2, 3, 4, etc on the end in order to satisfy your carefully constructed rules, but creating a potential security hole for your IT support team.
Two (or Multi) Factor Authentication (2FA) uses two different items of information in order to authenticate. Typically this is something you have and something you know. There are others, such as ‘somewhere you are’, but these are the two we will be focusing on.
- Something you have could be something like a USB stick, bank card or what is typically called a ‘token’.
- Something you know. This is usually your password or PIN.
Only by using a combination of these will you be able to authenticate and gain access to your systems. Drawing cash out of an ATM is an excellent example of 2FA, you need both your bank card and your PIN. Either of these on their own is no good. You need both.
Imagine sitting at your workstation or connecting remotely via a VPN. You enter your username and then your password. Once your password has been authenticated it will then ask you for your token code. Typically this is the set of numbers found on either a physical token or on the software-based ‘soft’ tokens that you can load onto your smartphone. This can be combined with an additional PIN, but that is very much down to individual configuration. The numbers on either a physical or soft token change every minute so providing an ever-changing means of authentication.
If you are at a coffee shop, connecting to your cloud services, and someone surreptitiously spies your password (and other details) then they would only have a minute in order to gain access (assuming they had your other details) before the token code changed and it would then be useless.
There has been a recent move towards soft tokens. Unlike physical tokens, they won’t need replacing (physical tokens have on average three years battery life) and they don’t tend to get lost as often. There are multiple choices for soft tokens including some that can act as a ‘repository’ for tokens so you only need the one app. How soft tokens work is also changing, such as receiving a push notification to your smart device asking you to approve the access when you try to authenticate.
Aside from Soft Tokens, it is also worth mentioning that 2FA can take different forms when connecting to a system. You might get an automated call to a specific number, and only if that call is answered in the correct way would you get authenticated onto that system.
IT security is a hidden business issue that can have deep repercussions. Business security is a more and more important issue with each passing day, but users are often resistant to change. When you consider how important your systems/data are and also how important service accounts are (such as Twitter, Facebook, Instagram, etc), the question becomes can you afford not to?