Two-Factor Authentication
What is two-factor authentication?
Two-factor authentication (2FA) is an extra layer of security to help protect your accounts from hackers and cybercriminals. It requires you to authenticate yourself using two different factors: something you know, such as a password or PIN, and something you have with you, such as a mobile device or token.
In addition to being so secure, 2FA also adds convenience to logging into your cloud applications. For example, if a hacker has just obtained your user ID and password through a data breach, they still won’t be able to access your account since they likely don’t have physical access to your mobile device or token that generates the one-time passcode required for login.
2FA is quickly gaining popularity across the enterprise because it provides an extra layer of protection to safeguard data while enabling users to be more productive.
How 2FA works
With 2FA, your identity is confirmed by two factors: something you know (such as a password) and something you have (such as your mobile device). When logging in, after correctly entering your username and password, you will then receive an automated phone call or text message containing a one-time passcode, which you must enter into the login screen for complete authentication.
2FA is implemented through software tokens that are installed on end-user devices such as smartphones, tablets or other smart cards. The token generates one-time passcodes that expire within seconds. If an attacker attempts to use a leaked password to access your data, the thief would also need to enter the one-time passcode that was sent as part of a 2FA authentication request.
Since 2FA requires the use of multiple factors for authentication, it is considered a more secure method than passwords alone.
Why business should use it
There has been an increase in cyberattacks that have resulted in data breaches, where hackers are stealing user IDs and passwords. 2FA significantly reduces the risk of unauthorized access to cloud applications with increased security, while still allowing users to seamlessly access their accounts when needed. This hybrid approach gives organizations the best of both worlds.
2FA is superior to other authentication methods because it provides stronger security than just a password alone can provide, but also lets you benefit from single-sign-on so you won’t need multiple usernames and passwords for different apps.
Common types of 2FA
There are several popular 2FA implementations available today which vary in how they work depending on the device that generates the one-time password or a user’s personal preferences.
- SMS-based 2FA: Requires you to use a one-time passcode sent via SMS text message to complete authentication on your device. Apple iCloud, Gmail, Facebook, Twitter and Snapchat all have this feature available for users.
- Token-based 2FA or soft token: Provides an app that generates a one-time passcode that expires within seconds, which is required for login similar to SMS two-factor authentication. RSA SecurID is the most well-known token solution today, but many organizations are beginning to implement Google Authenticator as more devices are enabled with NFC technology.
- Call or push notification based 2FA: This method sends an automated phone call or push notification containing your one-time passcode to your mobile device to complete authentication. Many mobile banking apps now offer this level of security for added protection.
The top 2FA practices
Businesses should ensure that their cloud applications enable 2FA as an option for end-users. It is also recommended that users leverage two-factor authentication wherever possible when it’s available, even if only SMS-based 2FA is offered by a specific app or service.
It is best practice for admins to set up 2FA with one or more tokens in addition to using SMS text messages since there can be issues with phone reception at times. If you choose the token method, make sure it uses push notifications instead of an automated call so you won’t have to enter a one-time passcode over the phone while still maintaining a high level of security.
2FA is a proven technology that should be used in conjunction with strong authentication methods such as passwords and certificates to provide enhanced security for organizations and their employees who use cloud applications from Google, DocuSign, Slack, OneDrive and many others. This will add another layer of protection for your users against phishing attacks and other cyber threats.
How to set up two-factor authentication for your accounts
Many organizations provide the option to enable two-factor authentication for their services, but it can be a cumbersome process for some users. To make this process easier, there are a number of free apps available on both Android and iOS devices that can simplify the 2FA setup process.
The benefits of using two-factor authentication
Once you have enabled it for your accounts, you’ll not only protect them against unauthorized access but will also be able to leverage single sign-on to reduce the number of usernames and passwords you need to remember.
Google admins can set up 2FA on G Suite applications using a QR code or Admin console settings, while users can turn it on by visiting their My Account page via their desktop browser. Google’s 2FA implementation offers several second factors that include:
- Push notifications sent to the user’s mobile device
- Automated phone calls with audio messages containing one-time passcodes
- Tokens
- SMS text messages
- Authenticator apps such as Google Authenticator
Frequently asked questions about two-factor authentication
Why do I need 2FA for my account?
Because accounts with 2FA enabled are more secure and less vulnerable to cyberattacks.
How does two-factor authentication make me more secure?
Two-factor authentication provides a second layer of security whenever an account is accessed from a new device or web browser, making it harder for attackers to gain access to your accounts even if they have obtained the password.
How do I set up 2FA?
It is best practice for admins to set up 2FA with one or more tokens in addition to using SMS text messages since there can be issues with phone reception at times. If you choose the token method, make sure it uses push notifications instead of an automated call so you won’t have to enter a one-time passcode over the phone while still maintaining a high level of security.
What devices should I set up for 2FA?
You can set up 2FA for all devices, including smartphones, tablets, smartwatches and computers.
Does 2FA slow down the login process?
No. In fact, it generally takes less time to complete authentication with two factors than with only one.
Is there a downside to enabling 2FAs too many accounts?
While enabling 2FA for all of your accounts isn’t an issue, you shouldn’t disable SMS text messages as one of the second factors just yet. That’s because there are still some services that require them before allowing users to set up 2FA with push notifications or physical keys. We recommend using offline backups to back up your tokens and recovery codes in case you lose access to your primary phone.
Is it safe to use SMS texts as my second factor?
SMS text messages are only secure when they’re sent over a secured network (i.e., HTTPS). Always make sure that any websites where you enter your phone number is running over this encrypted connection before entering your mobile number anywhere on the web. Otherwise, people can intercept these text messages anywhere in between your phone and the service you’re trying to authenticate with.
Do I need to worry about SMS text message spoofing?
There is no need to worry about SMS text message spoofing if you are sending the texts over HTTPS. However, make sure that your service provider supports an encrypted network before providing it with your phone number.
How do I get back into my account if I’ve forgotten my 2FA settings?
You should start by using a recovery code which will help you reset 2FA. If that doesn’t work, contact customer support who can also help you add a backup code or token.
How do I recover an account when I set up SMS text messages as my 2FA method?
In the event that you’ve lost access to your phone number, but have a recovery code for your account, use this code in addition to a new mobile number to reset your 2FA settings. You can then setup SMS text messaging from scratch with Google Authenticator or another authenticator app.
If you don’t have access to the device where you currently have 2FA turned on, contact support and provide them with your recovery codes so they can remove it from all devices. Once they’ve done this, re-enable two-factor authentication using an authenticator app such as Google Authenticator
Do I need to use my phone number as one of the factors in my two-factor authentication login process?
Yes. While you can use your alternate email or phone number instead in some cases, this isn’t possible in others. For example, Facebook requires you to provide one of the backup login factors when setting up 2FA, and this usually has to be an SMS-capable device tied to your mobile account. On the other hand, Google does not require specific devices for adding authenticators if you turn on 2FA through its security settings page.