- August 30, 2022
- Posted by: jordanwertley
- Category: Cybersecurity
Two-Factor Authentication, or 2FA, is a cybersecurity protocol which protects data, accounts, and systems with a one-two punch of user identification requirements. Soon, Microsoft and Google will be making 2FA mandatory for all users. Read on to learn more about how it works and why it comes so highly recommended.
A hacker downloads a database of stolen usernames and passwords from the dark web. Among them are the credentials Amy Loggins uses every day to access and update her blog.
Now her password is in the hands of a hacker, and he’s eager to search for Amy’s personal or financial details and send malicious links in her name to the 1400 subscribers who trust her. The hacker runs a program to attempt to log in as Amy – then growls in frustration as a message appears on the screen.
“New device detected. Please enter the code we texted you.”
The hacker had hoped Amy’s blog would be easy prey. Luckily for Amy, her account is guarded by two-factor authentication (2FA), a security protocol which adds a layer of protection to computer systems by requiring additional proof of identity. Annoyed, the hacker removes Amy’s credentials from his list. He only has time for easy victims.
Amy, meanwhile, is outside tending her vegetable garden when she gets a text message from her blogging platform, asking her to verify an unknown login. Keenly aware of the trouble she avoided, she sets down her trowel and takes a moment to set a new, more secure password.
At Aegis IT Services, we hear a lot of stories that start like our friend Amy’s did – with stolen credentials and a cybercriminal eager to wreak havoc. We want to see all of them have the same happy ending, which is why we enthusiastically endorse 2FA to all our clients. But don’t take our word for it – tech giants Microsoft and Google will both be mandating 2FA for all users this fall.
What is 2FA?
As we mentioned above, Two-Factor Authentication – usually shortened to 2FA – is a security feature that protects access to systems and data, including remote access technology, email accounts, customer databases, and billing systems. It works by requiring a user to confirm their identity via two (or more!) verification factors.
Typically, users identify themselves using two of the following components, commonly described as:
- Knowledge factor – what you know. Knowledge factor is the most common type of credential, and includes traditional passwords and pins as well as authentication prompts such as “mother’s maiden name” or “childhood pet.”
- Possession factor – what you have. The possession factor is currently the favored secondary authentication for most systems. It includes one-time login codes acquired via SMS or a dedicated mobile app, as well as push notifications and ID cards.
- Inherence factor – who you are. The most convenient method of identification, the inherence factor includes biometrics such as fingerprint readers, facial recognition, and retinal scanners. Once reserved for secret agents and sci-fi thrillers, inherence factor authentication is becoming commonplace as the technology grows more reliable and affordable.
2FA is sometimes known as multi-factor authentication, especially when an organization requires three or more verification steps.
How Does 2FA Work?
A typical 2FA login would go as follows: Kenneth is connecting to his work account from a new laptop. He enters his username and password, as usual. Because the system does not recognize his device, it prompts him for an authentication code. Kenneth pulls out his phone and enters the temporary code displayed in an authentication app. Now he has successfully verified his identity in two ways – with a password (knowledge factor) and a code from his phone (possession factor) – and the system allows him access. He goes about his workday.
Even outside the tech world, millions of people use 2FA every single day. For example, paying for groceries with a debit card and pin number requires both a possession factor (the card) and a knowledge factor (the pin). Some doctor’s offices even offer a speedy appointment check-in using the patient’s name (knowledge factor) and fingerprint (biometric factor) to quickly and safely access their medical records.
Currently, most logins use only single-factor authentication – a password – by default. Cybercriminals love this! Passwords alone have always been insecure, and they’re only growing weaker as time goes on.
Passwords are vulnerable for several reasons. First, users consistently (and notoriously) practice poor password hygiene, choosing easily guessable words or number combinations, as revealed in this report by password manager LastPass. Next, and even worse, a staggering 64% of users are guilty of re-using the same password across websites.
Users at least have some control over their password hygiene. Unfortunately, on top of this, credential theft is skyrocketing, up 65% from 2020. Cyberthreat intelligence agency Digital Shadows recently reported that they uncovered 24.6 billion usernames and passwords exposed on the Dark Web. These logins are typically stolen via data breaches and similar leaks, then sold as databases to cybercriminals.
Often, hackers use these ill-gotten goods for “credential stuffing” attacks, running a program that tries the username and password combination in dozens or hundreds of websites. This is a bit like a crook finding a key on the ground in an apartment complex and then going door-to-door trying it in every lock.
When Amy Loggins almost lost access to her blogging account, it was because she was using one password for multiple sites. Her credentials were originally compromised in either an 8tracks data breach in 2017 or a Roll20 data breach in 2018, but both sites assured users at the time that all stolen passwords were safely encrypted. However, her experience in 2022 – half a decade later – proves that a dedicated hacker will eventually decrypt anything.
Of course, using a unique and complex password for every login helps to reduce the risk of a hijacked account, but even the best password can still be stolen. It might be lost in a data leak, decoded by “brute forcing” (a cryptographic hack that digs through near-infinite combination attempts), or even accidentally revealed by the victim of a phishing scheme.
How well does 2FA work?
Enabling 2FA dramatically improves the odds of protecting one’s account. A 2019 Google study found that “an SMS code sent to a recovery phone number helped block 100% of automated bots, 96% of bulk phishing attacks, and 76% of targeted attacks. On-device prompts, a more secure replacement for SMS, helped prevent 100% of automated bots, 99% of bulk phishing attacks and 90% of targeted attacks.”
Google is moving towards making 2FA mandatory for all Google accounts. Over 150 million have received the rollout so far. Earlier this year, Google reported that their users protected by 2FA have enjoyed a 50% drop in compromised accounts.
Multiple government agencies tasked with consumer protection also endorse 2FA for protecting one’s accounts. The Federal Trade Commission has recommended businesses use 2FA since 2015, naming it as one of their secure password practices. In 2021, the Cybersecurity and Infrastructure Security Agency specifically condemned single-factor authentication, adding it to their catalog of “bad practices” that endanger the online welfare of both government and the private sector.
Finally, a word to the wise: a report from the Institute of Electrical and Electronics Engineers (IEEE) found that many users are tempted to lean heavily on 2FA to protect their accounts, choosing weaker passwords once 2FA is enabled. Remember, 2FA should supplement a strong password, not replace it.
Ready for 2FA?
In the words of Microsoft researchers, 2FA is “one simple action… to prevent 99.9 percent of attacks on your accounts.” Services such as Microsoft and Google are moving towards mandating 2FA within the next year. Smart users (that’s you!) can get ahead of the curve and enable it immediately. Take action today, and switch on 2FA to protect your data, secure your accounts, and frustrate a hacker. Are you looking for managed cybersecurity services in York, Lancaster, Harrisburg, Reading, and Central PA? Call us today at (717) 995-8600!