The desire for enhanced digital security has caught the attention of governments around the world, all looking to protect consumers and businesses. Many have proposed legislation that makes two-factor authentication (2FA) a mandatory requirement for IT systems.
The humble password has long been a major weakness in all IT security systems. Increasing password complexity and length may add some additional protection, but it can’t overcome poor user habits or stolen credentials. Two-factor authentication (2FA) offers a strong alternative for increasing security by requiring additional verification for each logon attempt, which reduces reliance on a single password.
Mandating a 2FA requirement
On May 12, 2021, U.S. President Joe Biden issued an executive order making 2FA a legal requirement for all government agencies. Federal agencies like the FBI, Department of Homeland Security and the National Security Agency were given 180 days to implement 2FA protection for all data.
In the U.K., the National Cyber Security Centre issued strong guidance to British businesses in the face of increased threat from foreign agencies. Included among the recommendations was the inclusion of 2FA logon protections for their systems.
Similar 2FA requirements are becoming more common in industry frameworks, too. The Payment Card Industry Data Security Standard’s latest version now requires 2FA or Multi-Factor Authentication (MFA) for account-related tasks, such as certain types of payments. By adding logon requirements, providers are better able to protect their clients against fraud.
Other industries that deal with sensitive personal information are following suit. In the U.S., there are moves to improve the Health Insurance Portability and Accountability Act to include 2FA requirements. By tightening access to sensitive patient data with secondary authentication, providers can protect patient confidentiality.
Why do 2FA requirements matter?
The key benefits of 2FA are the ability to tighten perimeter defenses and reduce the risk of malicious actors gaining access to corporate or government systems. By adding an additional layer of authentication, users are better able to protect themselves and businesses can help shield their customers from fraud, identity theft, blackmail and other losses.
Mandating 2FA at the government or industry levels gives digital laggards an encouraging push to update their access control systems for the benefit of their users and customers.
How is 2FA different from a password?
2FA will not replace passwords entirely. In most cases your systems, like Active Directory, will still require a standard username and password combination.
The second authentication process takes place after the initial credentials have been submitted. At this point, the user will be asked for a second, unrelated factor to confirm their identity. This could be a push notification that directs them to log into a smartphone app or a hardware token connected to their device.
Is it easy to get around 2FA?
It’s hard to bypass 2FA. Without direct access to a user’s secondary authentication method, like a smartphone, app or hardware token, it’s nearly impossible to complete the second stage of the 2FA process. This makes systems protected by 2FA much harder to compromise, and thus, much more secure.
How can you fulfil your 2FA requirements?
Like any security control, a 2FA deployment must be carefully planned to ensure it protects your assets properly. Among the biggest challenges you’ll face will be enabling 2FA on legacy systems and integrating the technology with your existing environment. Without addressing these questions, your new defenses are unlikely to be as comprehensive as you might have hoped.
As you prepare to incorporate 2FA into your digital security protocols, there are several other questions you should consider, including:
Which accounts need 2FA?
It may be tempting to apply 2FA only to admin-level accounts or those with permissions allowing them to make system and security configuration changes. However, this approach does not sufficiently address data access permissions. For example, your sales manager may not be able to add firewall rules, but they can access GDPR-protected personal information in the customer database.
It's worth remembering that cybercriminals will often start by compromising a single system. Then, they’ll use that compromised system as a staging point for further attacks inside a corporate network. Gaining access to a lower-level account has the potential to cause bigger problems down the road. Ideally, you want to prevent hackers from achieving any foothold inside your defenses.
For the most comprehensive and consistent protection, 2FA should be a requirement for all user accounts.
Which 2FA “factor” should you use?
Not all 2FA “factors” are created equal, and some are inherently more secure than others. SMS confirmation codes are popular because they are quick and easy to implement, but they are not as safe as using a hardware token or an authenticator app
For instance, mobile malware can read SMS messages from a compromised phone, which may give hackers a way to capture a 2FA token. Using a securely sandboxed authenticator app, such as Google Authenticator or Microsoft Authenticator, is much more secure. Once the app is opened, an encrypted confirmation is passed to the user’s system without human intervention.
Should you customize your 2FA offering?
Network security is a balancing act of protecting systems from unauthorized access without significantly impairing user productivity. Given that processes are unique, it is likely that an off-the-shelf solution would need granularity to meet every need.
A good starting point is mapping out the various authentication touchpoints throughout your network and the processes they impact. This will help you understand your own 2FA requirements and how best to deploy the technology.
2FA is becoming unavoidable
The reality is that businesses of all sizes must improve data security provisions to better protect their operations and customers. Increasingly, legislation and industry best-practice frameworks are pushing organizations in the right direction. On top of that, customers are more aware than ever about online risks, and they’re demanding that their data is protected against loss or theft.
That’s why thinking about current 2FA requirements and planning for future implementation makes good strategic sense. Eventually, 2FA will become a necessary and unavoidable part of doing business.