REPOST: Can Two-Factor Authentication Keep Your Company's Data Safe?

Hacking has plagued Internet users for as long as the World Wide Web has been available for public use.  With mobile adding to Internet platforms, web companies invest greatly to protect consumers' privacy, many prefer to have their own security checks in place.  This Mashable article discusses the effectiveness of the two-step verification process and other more hack prevention tactics.

Image source: Mashable

Peter asks,

"What's the best way to keep my organization safe from hacking? Is Two-Factor Authentication enough?"

Great question. In the last year, the topic of two-factor authentication — sometimes called two-step verification has become a hot topic amongst consumers and business users.

The idea behind two-factor authentication is that in addition to your regular password, users need to provide an additional bit of information when logging into a service or application. This information is usually a one-time password that is generated either using a mobile app or a physical device such as the YubiKey. Sometimes, those one-time passwords are sent via text message to a user's mobile phone.

Depending on the service and the security settings, these additional passcodes can be required on every login or just when logging in on new machines or from new locations. Most services also require users to re-authenticate themselves every 30 days, regardless of location. The idea is that by requiring additional information that can only be provided by the authorized person, hacks by outsiders are much less likely.

Google first offered two-factor authentication for its Google Apps and Gmail accounts back in 2010. Facebook followed up with its own version of two-factor verification in 2011. In the last year, we've seen other consumer-facing companies follow suit, including Dropbox, LinkedIn,Apple, Microsoft and Twitter.

OK — so is this enough to prevent your organization from being hacked? It's a good step — but two-factor authentication is nota panacea.

The important thing to remember about two-factor authentication is that like all security, it's only as strong as its weakest link. Many companies offer users a way to verify their logins using a mobile app or an SMS code. This means that if a user loses his phone, he's going to lose physical control over that method of authentication.

Because most services don't require users to use a passcode for every login (especially on known machines or networks), if someone gains physical access to your machine, your information could still be compromised.

These situations are unlikely vectors for most hacks, but it's important to remember that while it's a good start, two-factor authentication is not the only solution for security.

If you use consumer-facing web products with your business, we highly recommend requiring all users to use and enable two-factor authentication. In the past few months, we've seen a spate of phishing attacks targeting various organizations that use Google Apps. The use of two-factor authentication greatly reduces the ability for those attackers to break-into accounts, even if they are able to get a user to give up their password.

Here are some additional tips to use in conjunction with two-factor authentication:

• Require all employees to use a different and distinct password for every web service used by the company. What frequently happens is that someone uses the same password for their email as they do for a CMS. That means that even if a hacker can't phish his way into the mail system, he might be able to access other services controlled by that same username.
• Encourage or require all employees to use a password management app such asLastPass or 1Password. I don't actually know the password for most of my most important accounts. Why? Because I use 1Password — a password manager that works on Mac, PC and iOS. Solutions such as PassPack and LastPass are often even more ideal for businesses because they allow employees to share passwords to accounts with one another, without revealing the actual password. It also makes updating shared passwords very, very simple.
• Have a plan in place in case a phone or laptop is stolen. Applications such as Preycan help users track stolen or missing devices. Additionally, tools such as Apple's Find My iPhone and Samsung's Find My Mobile allow users to track and remotely wipe their lost or stolen smartphones.
• Educate employees about phishing scams and tactics. Even the most seemingly-savvy employees can get phished, so it's important to regularly explain best-practices and common phishing techniques to employees. Also, NEVER email passwords.
• Practice what you preach. If you're spreading the gospel of two-factor authentication, make sure you use it yourself.

eSecurity is constantly evolving. Telepacific helps customers thwart malicious attacks with products like OneSecure.  Like this Facebook page to stay updated about the company's other products.