Two-factor authentication: what it is and how it protects your organization

Photo of a pair of glasses in front of a computer screen.

Cybercrime is on the rise. Cybercriminals are using the rapidly improving and growing internet to their advantage.

So how do we protect our data from hackers? Is there an accessible tool for both individuals and organizations to keep information secure?

Yes! And it’s called two-factor or multi-factor authentication (2FA or MFA for short).

For over 25 years, WEBIT Services has helped its clients reach their IT goals and secure their systems through various cybersecurity tools and practices. We have found that two-factor authentication adds another level of protection to password-protected systems. Of course, as an IT provider, we will be biased about what tools we find the most effective. This does not necessarily mean that this tool will be a fit for you and your company.

When you finish reading this article, you’ll know why passwords aren’t enough, what two-factor authentication is, and how it works. Armed with this information, you’ll be able to make an educated choice as to whether two-factor authentication is right for you and your organization.

Why aren’t passwords enough to protect your data?

As computing power continues to improve, passwords alone are not sufficient protection for your data. Cybercriminals can use password-generating programs to guess passwords in “blunt force attacks,” or they can attempt to steal your passwords through phishing emails or social engineering. If they successfully gain the password to one account and that same password is used for multiple accounts, all those account logins are likely in danger.

For a password to be remotely secure, at the very minimum, it needs:

  • To be a random combination of letters, numbers, and special characters.
  • Be at least 12 characters long.
  • Be unique for each account.
  • To be updated every 90 days.
  • Ideally, be a passphrase as recommended by the FBI

Even with these precautions, good password practices are not always enough to prevent cybercriminals. Therefore, we must take additional precautions to outpace cybercriminals. And this brings us to two-factor authentication.

What is two-factor authentication?

Two-factor authentication (also known as 2FA) is an additional level of protection through an outside program. After entering your password, you must also enter a randomly generated, time-sensitive code to log into a website or account. This code can be numbers, letters, or a mixture of both.

2FA is not a “one size fits all” program. In general, there are three variations of 2FA available for use. They are:

1. SMS-based 2FA

A verification code is sent to your mobile phone via text message. Once you receive the code on your device, enter it into your account login.

This system can be added for free using account security preferences. This fact often makes this 2FA system preferable for small budgets.

However, this system does have its weaknesses. If a cybercriminal is able to access your phone number or device, they can enter the code in your place.

Currently, remotely hacking mobile phones is not as common as cracking passwords, so this is still an effective form of 2FA.

Mobile code 2FA is very common, and you will see it utilized on more and more systems and websites for professional and personal use.

2. App-based 2FA

You can download a 2FA app like Google Authenticator or Microsoft Authenticator to your mobile device or desktop. The app will generate login codes for you to use with websites or accounts you’ve added to the app.

Again many of these apps are free to use, making them very popular for lower budgets.

App-based 2FA can be compromised if your phone is stolen and unlocked or in rare instances if your phone’s SIM card is cloned or swapped. This would give the criminal access to the app.

Due to the combination of safety and affordability, app-based 2FA is one of the most popular 2FA protection systems amongst IT providers.

3. Token-based 2FA

Token-based 2FA generates codes on a small, physical device called a “token.” The token has a button to create and a small screen to display the code. Each token is linked to a specific account or website.

Tokens must be purchased individually, making token-based 2FA the most expensive but one of the most secure 2FA options.

A single token must be purchased for every user.

Because codes are generated through tokens, this form of 2FA is incredibly secure. However, users can be tricked into giving up their codes through phishing attempts, so be sure never to give your login codes to anyone you can’t verify.

Additional information on the levels of cyber protection

Not all forms of login protection are created equal.

Below, you can see more information on the levels of protection and their related weaknesses in the Consumer Authentication Strength Maturity Model (CASMM) version 6.

This infographic illustrates the various levels of protection through color coding. The red colors on the bottom are the least protective ranging to the most protective in green. You will see the 2FA systems in blue and green.

A chart illustrating degrees of login method security. They are ranked from level 1 in red (least secure) to 8 in green (most secure). In order from least to most secure, they are: shared passwords, unique passwords, quality passwords, password manager, SMS-based 2FA, app-based 2FA, token-based 2FA, and passwordless.

How 2FA helps protect data

As previously stated, 2FA adds another protective layer. Your password may act as the knob lock on the door to your account, but 2FA is the deadbolt.

They are also difficult to hack because all codes are random and time-sensitive. Even if cybercriminals can guess the code, they must guess it within the time limit to use it. Once the time limit expires (usually 15 minutes or fewer and, in most cases, 60 seconds), the original code will no longer unlock the account. A new code is needed.

The primary way a cybercriminal can obtain a 2FA code is if the account holder tells them directly or is tricked into providing it via a phishing scam. So, be careful if you ever receive a phone call, email, or text message asking for your 2FA code. Never give your code to anyone.

2FA systems are quite successful at blocking hacking attempts. Many cyber insurance providers now require potential customers to have a 2FA system in place. Why? It significantly reduces the risk of a data breach. Well-protected data brings less financial risk for both businesses and insurance providers.

Disadvantages to using 2FA

Two-factor authentication adds a step to your login procedures, meaning it may take a few more seconds to log into your account as you generate and type in your access code. However, you may find that the added protection of 2FA is worth the extra seconds and login procedure.

Otherwise, 2FA is only a bad thing if you’re a cybercriminal.

How to start using 2FA

Now that you’ve learned about the different kinds of two-factor authentication and how they add additional protection to your accounts, you may want to start implementing these practices in your organization.

First, decide which 2FA system is appropriate for your needs and budget.

Then, speak to your IT provider or internal IT team about adding 2FA to your existing systems. Starting with 2FA doesn’t have to be intimidating, and you don’t have to do it alone.

If you have any questions, reach out to your IT provider, and they can provide insight and direction for your next steps.

If you do not currently have an IT provider, contact WEBIT Services for a free 30-minute consultation.

To learn more about cybersecurity, read “Cybersecurity risk levels: Where do you draw the line?”