What it is
When your staff log into a business system, or when your customers log into their account on your website, they use a username and password combination. This is known as single factor authentication.
Two-factor authentication (2FA) requires them to provide something else on top of that, to verify that they are who they say they are. This can be:
- something they have, or
- something they are.
How it works
Something they have could be:
- a security token or fob that generates access authentication codes
- their phone, where they get a call back to press certain phone keys to grant access to an account
software like Google Authenticator that sends a notification to their smartphone, or provides them with an access code or one-time password (OTP).
Something they are includes things like:
- fingerprint scans, and
- voice recognition (biometric data).
For example, your staff or customers could get a random 6-digit number or one-time password (OTP) sent to:
- an application on their smartphone, or
- a key fob.
They'll need to use this to verify themselves when they're logging in, in addition to their normal username and password login details.
Businesses and organisations of any size can experience cyber security attacks. The problem with relying on a username and password to protect online accounts and systems is that people can’t always keep their passwords safe. Passwords can be stolen or guessed:
- through a scam, like phishing
- in a data breach.
While an attacker may be able to get access to your staff or customers' login details quite easily, they’re unlikely to have access to the device receiving the authentication code or OTP as well. This makes it much harder for the attacker to gain access to someone's account.
Why it matters
It strengthens login security
Adding another level of security with 2FA makes it harder for an attacker to get into your online accounts or your business systems.
It meets customer security expectations
Customers expect websites to provide 2FA so they can protect their accounts and data. When given the choice, customers may choose a business that provides 2FA over one that doesn't.
It reduces the risk of data theft
Adding a second-level of authentication makes it harder for attackers to get access to an account — and harder to access the data inside.
It can protect risky access methods, like remote access
Remote access to a system or network can be risky since it has to be exposed over the internet. This type of access should always use 2FA so your staff can be secure while they're working remotely.
Protect your business with 2FA
If you're not sure where to start with 2FA, think about which systems you connect to via the internet. These are the systems that are more likely to be targeted in an attack, so they’re the ones most important to protect. They're likely to be things like:
- your webmail
- a VPN
- any cloud-based service you use.
There’s no shortage of 2FA solutions on the market, but the approach and the technology they use can vary. Talk to your information security expert about the best solution for your business.
Implementing 2FA will vary from system to system. For cloud-based services, you may be able to enforce 2FA for all staff that have access to that service. For services that you manage or build yourself, you can refer to CERT NZ's critical controls for more advice.