When two-factor authentication becomes a security requirement

The desire for enhanced digital security has caught the attention of governments around the world, all looking to protect consumers and businesses. Many have proposed legislation to make two-factor authentication (2FA) mandatory for access to IT systems and networks.

The humble password has long been a major weakness in all IT security systems. Sure, increasing password complexity and length can add more protection, but it can’t overcome poor user habits or stolen credentials.

2FA definition

First, let's define two-factor authentication (2FA). 2FA adds an extra layer of security to ensure only the right person gains access to your systems and network. This extra layer of security reduces reliance on a single password to stop threats.

The difference between 2FA and MFA

You'll often see 2FA called multi-factor authentication (MFA). In fact, there's a slight difference between MFA and 2FA definitions. 2FA requires a user to submit a second item of proof (factor) to gain access. With MFA, the user needs to submit two or more factors.

What are common MFA factors?

There are three common factors of authentication:

• Something you know: a password or pin

• Something you have: a hardware key or token, a smartphone with an authenticator app

• Something you are: a biometric factor like a fingerprint or facial recognition.

2FA requirements are becoming more common

We're starting to see two-factor authentication required by major compliance standards and wide-reaching regulations.

For example, U.S. President Joe Biden's May 2021 executive order issued one of the most far-reaching 2FA requirements for all government agencies. This means strong authentication is required across federal agencies like the FBI, Department of Homeland Security and the National Security Agency.

In the U.K., the National Cyber Security Centre issued strong guidance to British businesses in the face of increased threat from foreign agencies. Included among the recommendations was the inclusion of multi factor authentication requirements to enable logon protections for system access.

Similar 2FA requirements are becoming more common in industry frameworks, too. The Payment Card Industry Data Security Standard’s latest version now requires 2FA or Multi-Factor Authentication (MFA) for account-related tasks, such as certain types of payments. By adding two factor requirements, providers are better able to protect their clients against fraud.

And other industries that deal with sensitive personal information are following suit. In the U.S., there are moves to improve the Health Insurance Portability and Accountability Act to include requirements for two factor authentication. By tightening access to sensitive patient data with a second factor of authentication, providers can protect patient confidentiality.

Why do 2FA requirements matter?

The key benefits of 2FA are the ability to tighten perimeter defenses and reduce the risk of malicious actors gaining access to corporate or government systems. By adding an additional layer of authentication, users are better able to protect themselves and businesses can help shield their customers from fraud, identity theft, blackmail and other losses.

Making 2FA or MFA mandatory at government or industry levels gives digital laggards an encouraging push to update their access control systems for the benefit of their users and customers.

How is 2FA different from a password?

2FA does not replace passwords entirely. In most cases your systems, like Active Directory, will still require a standard username and password combination.

The second factor authentication process takes place after the user enters their Windows credentials. At this point, the user gets a prompt for a second factor to confirm their identity. Depending on which MFA method they're using, this could be push notification that they need to approve, a prompt to connect a hardware authentication device to their device, or a nudge to enter a TOTP code from a 2FA authenticator app.

Is 2FA secure?

It’s hard to bypass 2FA. Without direct access to a user’s secondary authentication method, like a smartphone, app or hardware token, it’s nearly impossible to complete the second stage of the 2FA process. This makes systems protected by 2FA much harder to compromise, and thus, much more secure.

How can you fulfil your 2FA requirements?

Like any security control, a 2FA deployment must be carefully planned to ensure it protects your assets properly. Among the biggest challenges you’ll face will be enabling 2FA on legacy systems and integrating the technology with your existing environment. Without addressing these questions, your new defenses are unlikely to be as comprehensive as you might have hoped.

As you prepare to incorporate 2FA into your digital security protocols, there are several other questions you should consider, including:

Which accounts need 2FA?

It may be tempting to apply 2FA only to admin-level accounts or those with permissions allowing them to make system and security configuration changes. However, this approach does not sufficiently address data access permissions. For example, your sales manager may not be able to add firewall rules, but they can access GDPR-protected personal information in the customer database.

It's worth remembering that cybercriminals will often start by compromising a single system. Then, they’ll use that compromised system as a staging point for further attacks inside a corporate network. Gaining access to a lower-level account has the potential to cause bigger problems down the road. Ideally, you want to prevent hackers from achieving any foothold inside your defenses.

For the most comprehensive and consistent protection, 2FA should be a requirement for all user accounts.

Which 2FA “factor” should you use?

Not all 2FA “factors” are created equal, and some are inherently more secure than others. SMS confirmation codes are popular because they are quick and easy to implement, but SMS is not as safe as using a hardware token or an authenticator app

For instance, mobile malware can read SMS messages from a compromised phone, which may give hackers a way to capture a 2FA token. Using a securely sandboxed authenticator app, such as Google Authenticator or Microsoft Authenticator, is much more secure. Once the app is opened, an encrypted confirmation is passed to the user’s system without human intervention.

Should you customize your 2FA offering?

Network security is a balancing act of protecting systems from unauthorized access without significantly impairing user productivity. Given that processes are unique, it is likely that an off-the-shelf solution would need granularity to meet every need.

A good starting point is mapping out the various authentication touchpoints throughout your network and the processes they impact. This will help you understand your own 2FA requirements and how best to deploy the technology.