Business basics
Kia pare i tō pakihi ki te motuhēhēnga tukarua (2FA)

Protect your business with two-factor authentication

As part of your business strategy, you need to think about how to protect both your systems and your customers' accounts. 2FA is one of the tools that can help.

View transcript

There came a point in our journey towards this new digital age that the good old username and password combo just isn’t cutting it anymore. Single factor authentication made it too easy for cyber attackers to hack into business systems and steal the data inside. So a new and improved way of securing systems was created, called two-factor authentication. This is quickly becoming standard practice online, with banks, email providers, online shopping sites and even social media sites offering users the option to enable '2FA'.

So what exactly is it? Well, two-factor authentication requires a user to enter a username, password and something else to prove they’re who they say they are. That ‘something else’ is either something you ‘know’, such as a passphrase, security question, or PIN number. Something you ‘have’, where a phone generates a verification code or a piece of software such as Google Authenticator. Or something you ‘are’, such as fingerprint scans, face ID or voice recognition.

You might have first hand experience with 2FA already – you’ve probably been asked security questions and had to verify your voice while on the phone with the bank, or you could’ve had to get your phone out and open the Gmail app when trying to log in on your desktop. This process is becoming more and more common in an effort to protect your online accounts and information.

Businesses far and wide should be taking steps to use 2FA wherever possible, both internally, and externally. Internally, you and your team should enable 2FA when accessing the systems you use day to day, and especially the ones that store personal, financial or customer data making them a target for hackers. Get your team on board in understanding the importance of this process. Even if it does take a little longer to login, the added security 2FA provides acts as an extra layer of defence.

Also, if your business involves customers logging into a platform or app that contains information they may want to protect, consider adding 2FA as a feature that they can enable. It’s just another way to show them that you care about their privacy and are striving to act in their best interests.

The option to enable 2FA is often found in the settings of the system in question. Take the time to flip that switch to ‘on’ today, and continue making waves in business armed with a little piece of mind that your data will be kept safe and secure.

What it is

When your staff log into a business system, or when your customers log into their account on your website, they use a username and password combination. This is known as single factor authentication. 

Two-factor authentication (2FA) requires them to provide something else on top of that, to verify that they are who they say they are. This can be:

  • something they have, or
  • something they are.

How it works

Something they have could be:

  • a security token or fob that generates access authentication codes
  • their phone, where they get a call back to press certain phone keys to grant access to an account
    software like Google Authenticator that sends a notification to their smartphone, or provides them with an access code or one-time password (OTP).

Something they are includes things like:

  • fingerprint scans, and
  • voice recognition (biometric data).

For example, your staff or customers could get a random 6-digit number or one-time password (OTP) sent to:

  • an application on their smartphone, or
  • a key fob.

They'll need to use this to verify themselves when they're logging in, in addition to their normal username and password login details.

The risks

Businesses and organisations of any size can experience cyber security attacks. The problem with relying on a username and password to protect online accounts and systems is that people can’t always keep their passwords safe. Passwords can be stolen or guessed:

  • through a scam, like phishing
  • in a data breach.

Learn about phishing scams

Learn about data breaches

While an attacker may be able to get access to your staff or customers' login details quite easily, they’re unlikely to have access to the device receiving the authentication code or OTP as well. This makes it much harder for the attacker to gain access to someone's account.

Why it matters

It strengthens login security

Adding another level of security with 2FA makes it harder for an attacker to get into your online accounts or your business systems.

It meets customer security expectations

Customers expect websites to provide 2FA so they can protect their accounts and data. When given the choice, customers may choose a business that provides 2FA over one that doesn't. 

It reduces the risk of data theft

Adding a second-level of authentication makes it harder for attackers to get access to an account — and harder to access the data inside.

It can protect risky access methods, like remote access

Remote access to a system or network can be risky since it has to be exposed over the internet. This type of access should always use 2FA so your staff can be secure while they're working remotely.

Enabling staff to work remotely

Protect your business with 2FA

If you're not sure where to start with 2FA, think about which systems you connect to via the internet. These are the systems that are more likely to be targeted in an attack, so they’re the ones most important to protect. They're likely to be things like:

  • your webmail
  • a VPN
  • any cloud-based service you use.

There’s no shortage of 2FA solutions on the market, but the approach and the technology they use can vary. Talk to your information security expert about the best solution for your business.

Implementing 2FA will vary from system to system. For cloud-based services, you may be able to enforce 2FA for all staff that have access to that service. For services that you manage or build yourself, you can refer to CERT NZ's critical controls for more advice.

Critical controls: Multi-factor authentication – CERT NZ

2FA is a great security measure, but it's not foolproof – you still need to implement other good security practices. You should also have a plan in place for what to do if something goes wrong.

Creating an incident response plan

Get help

If you’ve experienced an online security issue, your first step is to contact the service provider.
You can also report an online issue or security incident to us at CERT NZ.

Get help now