At RCTS CERT Security is the priority and is essential for the smooth performance of our institution's services. Two Factor Authentication (2FA) is the authentication process in which two of three possible authentication factors are combined.
The 3 possible authentication factors are:
- Something the user knows, such as a password, a personal identification number (PIN code), or the answer to a secret question.
- Something that the user has, such as a smartphone or a USB device.
- Something the user is, such as face or voice or fingerprint recognition.
Even if best-practice password policies are implemented, there is always the risk that they will be discovered. And it is in this context that 2FA technology significantly strengthens user authentication security by adding a second authentication factor to credentials based only on username and password.
As more and more websites, services and companies make this technology available, this additional protection is becoming more common. Although it was initially just a suggestion, today the trend is for it to become almost mandatory, due to persistent cyberthreats originating anywhere on the planet.
The resistance to adopt 2FA technology in enterprises is starting to dissipate and more and more are adopting it, thus minimizing security risks to their infrastructure and services.
This additional layer of security protects users, even if their credentials have been compromised, through a temporary, one-time use code or password generated locally in a smartphone app or sent via SMS or email. Other methods may include sending a "Push Notification" (a message sent to the smartphone where the user simply approves or denies access) or using a "hard-token".
Whatever 2FA solution is designed, it should be simple and easy to use, in order to avoid resistance in its implementation.
This is a very important technology in the cybersecurity landscape, especially at a time when mobile working is contributing to increased cyber risk in companies and among their users.
2FA technology should be used in internet banking, online shopping (Amazon, PayPal, Google Play), email (Gmail, Microsoft, Yahoo, Outlook), cloud accounts (Apple, Dropbox,), social networks (Facebook, Instagram, Linkedin, Tumblr, Twitter, snapchat), productivity applications (Evernote, Trello), communication applications (Skype, Slack). Above all, this technology should also be used when accessing corporate VPNs, because naturally this access will enable further access to other resources, and it is crucial that this access does not depend solely on a password.