What is two-factor authentication, or 2FA?
When it comes to your organisation’s online security, you can’t be too careful. The volume and sophistication of cyber security threats is increasing at a rapid rate, with Malwarebytes reporting that attacks on businesses increased by 13% in 2019. As a result, many companies are casting a critical eye over their current infosecurity practices. After all, a significant amount of personal, financial and confidential information is held in your business’s online accounts, and data breaches frequently result in revenue losses. For most organisations, there’s one simple step that can help improve your employees’ cyber security discipline across the board: two-factor authentication, or 2FA.
Two-factor authentication explained
What is two-factor authentication? Authentication is the process of verifying the identity of a user in order to establish access to a computer system or online account. There are three main ‘factors’ for authentication: a knowledge factor (something you know, e.g. a password or a PIN), a possession factor (something you have, e.g. a mobile device or an ID card) and an inherence factor (something you are, e.g. a fingerprint or your voice). There are also ‘location factors’ and ‘time factors’, but these are much less common. Two-factor authentication simply means that your security system uses two of these factors.
In other words, two-factor authentication is a second layer of security, on top of your password or PIN number. If – after logging in with your password – you’ve ever been asked to enter a numerical code sent to you on your mobile device to prove your identity, you’re already familiar with 2FA. However, getting a code by text isn’t the only two-factor authentication method. There are a broad range of options, including authenticator apps, push notifications, software tokens, voice-based authentication and so on. In most cases, however, the extra layer of security is likely to be an SMS text message code.
What is an authenticator app?
While you’re likely to be familiar with most types of two-factor authentication, such as text messages, voice-based messages and push notifications, you may be a little less familiar with authenticator apps. In fact, they’re relatively simple. So, what is an authenticator app? Essentially, it’s an app on your mobile phone that generates digital verification codes which can be used to verify your identity when logging in to a website or application. There are many different authenticator apps to choose from, including Google Authenticator App, Duo Mobile and Authenticator – all of which follow roughly the same procedure.
Authenticator apps are generally considered to be a slightly more secure form of 2FA than receiving an SMS text message passcode. That’s because, technically speaking, SMS messages aren’t something you have, but something you’re sent. As such, there’s a small chance that hackers could trick your network provider into porting your mobile phone number into a different device (a type of fraud referred to as a ‘SIM swap’). Assuming they already have your password, this would enable an attacker to gain access to your account. By contrast, the verification codes for authenticator apps expire very quickly (usually after 20 or 30 seconds), and the code stays entirely within the app.
How does 2FA work? Once you’ve set up two-factor authentication on your system – whether you’re using an authenticator app, push notifications or SMS messages – it’s relatively simple to use. Here’s a step-by-step guide to the 2FA process itself:
- The user is prompted to log in by the website or application.
- The user enters their username and password, fulfilling the first security factor.
- After the site recognises the user, they’ll be prompted to initiate the second step of the login process. At this stage, the user needs to prove that they have something, like an ID card or a smartphone, fulfilling the second security factor, i.e. ‘possession’. In most cases, users will be sent a one-time security passcode that they can use to confirm their identity.
- Finally, the user enters the security key, and after the site has authenticated it, they’re granted access.
Why use two-factor authentication?
When it comes to online security, the most common authentication factor, by far, is the username/password combo. This means that most systems are only using single-factor authentication. Although passwords have been the go-to infosecurity standard for decades, there are several reasons why it may finally be time to move beyond passwords altogether. For a start, passwords are relatively easy to guess. Humans tend to have poor memories, and in many cases, the passwords we choose are comically easy to guess: ‘password’, ‘12345’, ‘qwerty’ and so on.
It’s also important to remember people have more online accounts than they did when passwords were first introduced, which means that there’s often simply too many passwords to remember. This can lead to ‘password recycling’, which is when the same password is used for multiple accounts, making it easier for hackers to gain access. When you factor in the rise of cybercrime and data breaches – such as the Yahoo 2013 data theft in which 3 billion accounts were hacked – it’s easy to see why passwords may no longer be the most secure form of protection.
Rather than fully-fledged 2FA, some websites use a security question as a kind of second factor. For example, you may be required to answer a question like ‘What’s your mother’s maiden name?’ or ‘What’s the name of your childhood pet?’ However, there are a broad range of weaknesses associated with this practice as well. With such an abundance of personal information available on the web, hackers are often able to guess the answers to these relatively basic questions. Furthermore, it’s important to note that this practice isn’t ‘real’ 2FA, as security questions are simply a second knowledge factor. You’re essentially backing up a password with another password. In this sense, it’s much closer to two-step verification (2SV), a form of authentication that doesn’t require different factors, just multiple steps.
Bottom line: passwords are the lowest form of security, which is why two-factor authentication is increasingly becoming the basic security standard for enterprise.
Beyond two-factor authentication
As you can see, the benefits associated with 2FA are significant. But two-factor authentication isn’t the final destination for infosecurity. Far from it. After all, two-factor authentication isn’t foolproof. If an attacker wanted to gain access to your computer systems, a physical search of your premises could lead them to find an employee ID or discarded storage device containing passwords. Furthermore, hackers can intercept text messages through phishing emails, potentially enabling them to bypass the second authentication factor. Ultimately, 2FA is only as strong as the weakest element of the security process.
So, what else is out there? Well, 2FA is simply a subset of a much larger concept: multi-factor authentication (MFA). Theoretically, you could have three-factor authentication, four-factor authentication, five-factor authentication and so on ad infinitum. While ordinary users aren’t likely to ever use anything beyond two-factor authentication, people who work in high-security environments may be required to use something like three-factor authentication (3FA), which typically involves the use of an inherence factor, such as a fingerprint or iris scan.
Securing your files with two-factor authentication
The importance of securing your business’s files and content can’t be overestimated. Global cybercrime damages are estimated to reach around $6 trillion annually by 2021. The costs associated with cybercrime include the destruction/misuse of data, stolen money, post-attack disruption, the theft of intellectual property and lost productivity. But you also need to think about the potential expenses associated with the restoration of hacked data/systems, forensic investigation and reputational damage. As threats become increasingly sophisticated and the rest of the world implements two-factor authentication as standard, businesses that don’t risk leaving themselves vulnerable to predatory hackers. It’s like not wearing a seat belt because the car has airbags. Technically, you’re protected, but nowhere near as protected as you could be.
How to get 2FA with Dropbox
It’s clear that enabling two-factor authentication can have serious benefits for your business, but the process of unrolling 2FA across your entire company can be a little daunting. Fortunately, it doesn’t have to be too much of a challenge. Dropbox offers two-factor authentication. If you enable 2FA, Dropbox will require you and your team to provide a second form of authentication (e.g. a six-digit passcode or security key) whenever you log in to your account or link a new tablet, computer or phone. In addition, Dropbox offers a number of password protection features that can help you secure and control your business’s sensitive information, while you can also add expiry dates for shared links and passwords protecting your PDFs and folders.
There are other cyber security measures that you can implement with Dropbox to help secure your files even more effectively. Dropbox’s cloud security is an ideal complement to two-factor authentication. Put simply, cloud data protection is Dropbox’s top priority. With multiple layers of protection across a distributed cloud infrastructure, you can ensure that all your online files are afforded the same level of protection. Plus, Dropbox’s enterprise-grade encrypted cloud storage can be used to comply with most global regulatory standards.
Two-factor authentication offers an extra layer of security for your business’s online files, keeping your sensitive data shielded from potential cyber threats.