Two-Factor Authentication: A Look Back and Forward

Two-Factor Authentication

IT Consulting, Security

A little over a year ago, we published an article that stated the reasons why you need two-factor authentication, or 2FA as it is known.  A year later we can definitively state that 2FA is absolutely necessary due to increases in attacks via email.  However, there have been some concerns about how this is implemented, and some may still reason that it is not necessary at all.  The following article will address these areas.

Why Is Two-Factor Authentication Necessary?

Picture this: An email from the CFO directs Accounts Payable to cut a check to customer XYZ for $10,000 and mail it to an address.  The check is in the mail when you find out that the CFO states that they never typed that email.  You show the CFO that it indeed came from their email account, and the email address is not spoofed.  How did this happen?  Simple:  The CFO’s email password was compromised.  These types of attacks have only increased in the past year.

Email Password Compromised

Someone used a web browser to login to the webmail version of the CFO’s inbox, and then sent the email legitimately from their account, but with illegitimate intentions.  However, had two-factor authentication been set up on the CFO’s email account, even if the password was compromised, the attacker would never have gained access to the account without that special code being verified.  In other words, Accounts Payable would never have received that email, and you would not have to cancel a $10,000 check.

Isn’t 2FA a Pain to Use?

When a company decides to rollout two-factor authentication, or 2FA, inevitably objections from employees may occur.  This is especially true when they are asked to use a smartphone app to generate a 2FA code, or to have a text message sent to it to authenticate their work account.  The typical objections center around privacy and using personal phones for business purposes.

However, do those employees have company email on their phones?  Are they exchanging text messages with customers?  If the answer is yes, then that information has to be protected from hackers.  Even if an employee only uses email on a company computer, and nowhere else, that email account, like all email accounts, is a possible entry-point for attack.  Proper security measures must be taken.  2FA is one of the simplest, and fastest solutions to combat hackers.

Cyber Insurance Claims

When a security event happens, usually the damage is severe, and the costs of recovery are substantial.  If you are a business owner that has cyber insurance, you may think you are protected.  However, there is usually a clause in your policy to the effect of “failure to maintain”.

This clause usually will deny your claim if you did not take on the minimum/adequate security measures for your network.  Given the evolution of how cyberattacks take place, having two-factor authentication enabled very likely would be considered an adequate security measure.  It is better to have more security than the bare minimum or not enough.

Ready to Learn More?

There are many ways to implement two-factor authentication for an organization.  What works for some, may not work for others, and is where Absolute steps in.  We are your guide to finding the secure, and right solution for your needs.  Contact us today and we can help.