2-Factor Authentication
Two-Factor Authentication (2FA) is sometimes called multiple factor authentication. In simple terms, it adds an extra layer of security to every online platform you access. The first layer is generally a combination of a username and password. Adding one more step of authenticating your identity makes it harder for an attacker to access your data.
Just Fix IT can help you deploy 2FA to your staff to drastically reduce the chances of fraud, data loss, or identity theft. Microsoft research labs report that 99.9% of internet-facing account hacks can be eliminated by deploying 2FA for remote access platforms
User Passwords are a weak link in the security chain: Passwords have been the mainstream form of authentication since the start of the digital revolution but, this security measure is far from infallible. Here are some worrying facts about this traditional security measure:
- 90% of passwords can be cracked in less than six hours.
- Almost two-thirds of people use the same password at home and at work.
- Sophisticated cyber attackers have the power to test billions of passwords every second.
The vulnerability of passwords is the main reason for requiring and using 2FA. Most 2FA systems are designed so that someone who has maliciously gained access to your password still can’t access the platform, since they are missing the 2nd authentication method.
2FA can be one of the following formats:
- some info you know (passphrase, pin, answer to a secret question)
- something you have (token, cell phone, USB stick, key fob with NFC)
- something you are (biometric factor such as face or voice recognition, fingerprint, retina scan)
Since the biometric options raise privacy issues and have high costs, the most popular format is the additional object you have with you that is distinct from the platform you are connecting to.
Standalone 2FA – Email or Text
Typically used for website portals/online apps. Any time you try to login, you are sent an email/SMS with a pin code that needs to be entered in the platform. This is often deployed by third party web portals as it requires no integration with your IT environment.It relies on the user having access to a smartphone or has an email account that has not been compromised. The use is entirely dictated by the website host and so if a company has multiple web based apps, they could require users to perform the login/validation multiple times a day.
Example: A one time password from your bank, that you receive as text message on your mobile phone which generates you a specific code at a specific time – you use it with your username and password for Internet banking.
Standalone 2FA – 3rd Party Token
This is used to gain access to a web portal or network. You are required to enter a pin code in addition to your username and password. The Pin is received via a third party device or smartphone app that provides a time-based one-time pin code (usually numeric). The third party offers an approved authentication source that communicates the validation to a private key that is preloaded on your device or smartphone. The third party does not have direct access to your company network. Each software or portal you access uses a different key, there is no central management, and if you lose the smartphone that the app runs on, it is complex to revoke or move to a new phone and rebuild all the entries.
Example: a random password generated by an app like Google Authenticator or Facebook Code Generator – you use it to log in to your email or social media account.
Integrated 2FA – 3rd Party Token
This is used to gain access to an internal company portal or network. You are required to enter a pin code in addition to your username and password. The Pin is received via a third party device or app that provides a time-based one-time pin code (usually numeric). The third party validation is communicated to your company server (such as RADIUS or an Access Gateway running on a server) that grants permission to access the platform. The username and password entered also need to be valid but are not shared with the third party.
The Integrated 2FA model is ideal to safeguard a company’s G-Suite cloud services, Remote Desktop and some forms of VPN accounts.
Example – Popular brands that provide a security token are Duo MFA (powered by Cisco) and RSA.
Best 2FA for Businesses protecting their Networks:
We recommend the Integrated 2FA design for businesses when considering security for remote access to a company network such as VPN or Remote Desktop. It gave better control of user management and allowed a single 2FA token generator to be used across multiple software platforms for a Single-Sign-On (SSO) approach.
Just Fix IT has worked with many customers looking to deploy 2FA, and found it was vital to consider the general usability and software compatibility, whilst still checking out the security credentials.
Engaging Just Fix IT to deploy Duo MFA:
After multiple deployments we found that Duo MFA (powered by Cisco) provides the best all round 2FA service, with the perfect balance of security and ease of use.
- No-fuss pricing based on straight-forward user count
- Superior compatibility with more of the industry-standard software platforms
- Choice of a private cloud or public cloud design for the Access Gateway depending on the company preference.
- The end-user was clearly considered in the design to make it routine to apply this extra security layer.
The option of central management by an external IT provider so they can offer support in the event a user lost their token key or smartphone.
The Duo product also focused on making the rollout easy for both IT managers and end-users, with email templates to send the users a sign-up link and a step-by-step guide to test the 2FA token is working before going live.
The options for deployment included a smartphone app, desktop app or a hard token Yubikey USB device. All these allowed central management in the event the token needed to be revoked or reissued, with a foolproof workaround via IT helpdesk to grant temporary bypass code for a user if their smartphone was genuinely lost.
Deploying the Duo MFA protected the company from loss in the event of a password exposure or brute-force password attack, created a heightened sense of security and awareness amongst staff, and yet provided it in a practical, easily adopted form.
The 2FA solution represented great value compared to the risk it prevented, as the simple, low-cost-per-user model was typically off-set by the lower cyber-insurance premiums.
Case example:
While deploying a new security mandate to require 2-factor authentication (time-based one-time pin code in addition to a username and password) for all remote staff, a manufacturing company got into hot water when all their on-site staff suddenly found they had to enter a new code hourly, yet some did not have a smartphone to receive the code by SMS text message. Staff tried to duck around the system by sharing one cell phone between several desks, and by trying to use each other’s credentials. The problem was brought back under control by consulting with Just Fix IT and rapidly setting up the company with Duo MFA solution. This allowed the option of a hardware YubiKey USB-dongle for any desk user that did not have a smartphone. Users found it much easier to use, and with support from their line managers they accepted the requirements of using unique logins. Furthermore, to help the users cope with the changes if they forgot their cell phone or Yubikey, Just Fix IT included the ability for a temporary bypass code to be available by calling the JFI Helpdesk (with the appropriate validation).
The company was able to move ahead with adopting security best practices with the buy-in of their staff.
Talk with a Professional
Don’t hesitate to reach out and contact us directly. One of our team members will be happy to contact you back and start working with you to find the right solution for your company.