Protect your business with two-factor authentication
As part of your business strategy, you need to think about how to protect both your systems and your customers' accounts. 2FA is one of the tools that can help.
What it is
When your staff log into a business system, or when your customers log into their account on your website, they use a username and password combination. This is known as single factor authentication.
Two-factor authentication (
A security setting that needs an extra piece of information, such as a text code or fingerprint, to log into your account. Short for 'two-factor authentication'.
- something they have, or
- something they are.
How it works
Something they have could be:
- a security token or fob that generates access authentication codes
- their phone, where they get a call back to press certain phone keys to grant access to an account
- software like Google Authenticator that sends a notification to their smartphone, or provides them with an access code or one-time password (OTP).
Something they are includes things like:
- fingerprint scans, and
- voice recognition (
data).
Using your body to log in, such as scanning your fingerprints or iris.
For example, your staff or customers could get a random 6-digit number or one-time password (OTP) sent to:
- an application on their smartphone, or
- a key fob.
They'll need to use this to verify themselves when they're logging in, in addition to their normal username and password login details.
The risks
Businesses and organisations of any size can experience cyber security attacks. The problem with relying on a username and password to protect online accounts and systems is that people can’t always keep their passwords safe. Passwords can be stolen or guessed:
- through a scam, like
when a scammer pretends to be someone else, like a bank or NZ Post, usually via email, trying to get your personal information or even money.
- in a data breach.
While an attacker may be able to get access to your staff or customers' login details quite easily, they’re unlikely to have access to the device receiving the authentication code or OTP as well. This makes it much harder for the attacker to gain access to someone's account.
Why it matters
It strengthens login security
Adding another level of security with 2FA makes it harder for an attacker to get into your online accounts or your business systems.
It meets customer security expectations
Customers expect websites to provide 2FA so they can protect their accounts and data. When given the choice, customers may choose a business that provides 2FA over one that doesn't.
It reduces the risk of data theft
Adding a second-level of authentication makes it harder for attackers to get access to an account — and harder to access the data inside.
It can protect risky access methods, like remote access
Remote access to a system or network can be risky since it has to be exposed over the internet. This type of access should always use 2FA so your staff can be secure while they're working remotely.
Enabling staff to work remotely
Protect your business with 2FA
If you're not sure where to start with 2FA, think about which systems you connect to via the internet. These are the systems that are more likely to be targeted in an attack, so they’re the ones most important to protect. They're likely to be things like:
- your webmail
- a
A way of connecting to the internet that hides where you are when you connect.
- any cloud-based service you use.
There’s no shortage of 2FA solutions on the market, but the approach and the technology they use can vary. Talk to your information security expert about the best solution for your business.
Implementing 2FA will vary from system to system. For cloud-based services, you may be able to enforce 2FA for all staff that have access to that service. For services that you manage or build yourself, you can refer to CERT NZ's Critical Controls for more advice.
2FA is a great security measure, but it's not foolproof – you still need to implement other good security practices. You should also have a plan in place for what to do if something goes wrong.
Creating an incident response planGet help
If you’ve experienced an online security issue, your first step is to contact the service provider.
You can also report an online issue or security incident to us at CERT NZ.