Two-factor authentication can be your biggest flex this year to secure your business’s information. But how? The history of business is filled with anecdotes of theft. Some of these incidents have been as prosaic (but effective) as a couple stealing $5 billion from grocery retailer Safeway. Mostly by pinching a few items here and there over the course of 178 trips. Others have been as memorable as the Santa Claus Bank Heist of 1927 in Cisco, Texas.
But theft does not need to result in billions of dollars in losses or be as spectacular as Kris Kringle holding up a bank with a pistol. And what’s more, sometimes criminals are not always after cash or inventory. Sometimes they are just after information. Although to be fair, that information is usually about getting cash.
Around 76% of polled organizations in English-speaking countries said that they had suffered at least one data breach in 2022. A significant increase from the 55% who said the same in 2020. Crime and cybercrime are on the rise, as much as 600% since the Covid pandemic according to some estimates in the cyber insurance industry.
That means even small and midsize businesses are going to have to adapt some of the same security strategies leveraged by larger corporations to protect assets like servers, networks, and digital data. And one of the simplest things that a business can do to secure some of these assets is to use two-factor authentication.
What is Two-Factor Authentication?
Multi-factor authentication, or MFA, is one the simplest, most effective ways to make sure that someone is who they say they are. Also referred to as two-factor authentication or 2FA, it’s an extra layer of security that essentially involves 2-step verification.
These two steps will each require one of the following authentication methods: knowledge, possession, and inherence. The end goal of MFA or 2FA is to secure something from being accessed by an unauthorized third party who would have a much easier time accessing it with a single layer of security.
Although many consumers (and business owners) are familiar with two-factor authentication, namely through the request to input a code texted to their phone or email, two-factor authentication has actually been around a lot longer than you might think. Taking money out of an ATM, for instance, is a form of two-factor authentication: your physical debit card is an example of possession, while the PIN is an example of knowledge.
The Different Types of Two-Factor Authentication
There most certainly are different forms of two-factor authentication. The form of 2FA most commonly used by consumers and businesses is the username-password as one layer, followed by a code texted to a phone number listed on the account they are attempting to access. But this is just one form of 2FA, of which there are several. The permutations and combination thereof are largely based on the 3 different types of authentication methods.
Possession is a factor that relates to something the user has, which could include a bank card, key, or security token—like a USB stick or a hard crypto wallet.
Inherence relates to something the user is and can be expressed in the form of a request for biometric data—like a fingerprint, retinal scan, face scan, or keystroke dynamics.
Knowledge is a factor that relates to something the user knows. Which could be a password or a PIN. Sending a push notification to trusted devices, such as a PIN or one-time code, is a commonly used 2FA method.
Personal Two-factor Authentication
For example, Apple two-factor authentication might send a code to a secondary Apple device you own. While Google two-factor authentication may ask you to open up your Gmail account on a trusted device. Facebook two-factor authentication (for those who have enabled two-factor authentication) will do something similar by allowing the user to choose an SMS code, a security key on a trusted device, or a login code from a third-party app. And Instagram two-factor authentication will surely send you an email if the device logging into the account is unrecognized.
Small Business Two-factor Authentication
As it relates to most small businesses, a third-party app will probably be the go-to method of authentication beyond username and password security. A drawback to possession is that it requires everyone on duty to carry around a tangible item like a USB drive.
If for some reason they’ve left it at home, that can create a productivity gap. This isn’t a problem if the key is needed to access an office. But if you have a remote workforce and someone leaves their key at home on the way to their local Starbucks (the security of that public network being a different issue entirely) you’re looking at a big delay.
You might think that biometrics are beyond your business budget. While retinal scans might make you think of the Bourne Identity, they’re becoming increasingly accessible, accelerated (as are many recent trends in business tech) by the Covid Pandemic and the resultant shift to a remote workforce. Biometric authentication is arguably the most secure form of authentication because nobody can replicate that information. And although it might be possible in the future, that sounds like a sci-fi crime thriller for another day (one that involves cloning).
Is 2FA the Same as MFA?
One could argue that 2FA (two-factor) is a type of MFA (multi-factor), just like all poodles are dogs, but not all dogs are poodles. In some cases, however, 2FA might specifically refer to a combination of passwords and one-time codes provided by text or email.
By contrast, MFA could refer to any combination of two or three of the aforementioned categories: knowledge, inherence, and possession. You can bet your retina that top-secret military installations are probably leveraging all three types of authentication to access their most important assets. Whether those are tangible weapons or sensitive information.
But according to other thought leaders in the security industry, MFA specifically refers to a combination of knowledge (password) and either possession (e.g. a physical key) or inherence (like biometrics).
In other words, the second layer cannot just be another piece of knowledge. Rather, it must be a tangible item or an inherent physical attribute. By contrast, 2FA might (and commonly does) pair two types of knowledge—most commonly a password and texted code.
What Are the Benefits of Two-Factor Authentication?
While your business probably doesn’t need more than two layers of security, it might. And here are a few benefits it carries:
Reduce Insurance Premiums
In some cases, it may reduce the price of your insurance premiums, especially for cyber liability policies meant to protect you from the effects of a breach. That of course is a tangential benefit. The main benefit is preventing a data breach.
Preventing Data Breaches and Financial Loss
Data breaches are increasingly common, rising by 70% around the world. As you can imagine, one end goal of a data breach is to obtain financial information, like company or customer banking information.
Other attempts might be purely malicious, such as a disgruntled former employee, which comprises a whopping 75% of data breaches. And still, others use ransomware to hijack an application or network and hold it hostage until the weregild is paid up (for readers unfamiliar with Old German, that means ransom money).
Two-factor authentication may seem like a headache each time you want to log into an application or access a company device. But just like anything else, a little bit of suffering in the present can save you a lot of suffering in the future…especially if that suffering involves the release of holiday party photos from a vengeful, terminated network engineer. And especially if particularly ugly sweaters were involved. Of course, losing money is perhaps even more motivating, no matter how ugly those holiday sweaters are.
Can Two-Factor Authentication Foil Common Hacking Methods?
This is by no means an exhaustive list of hacking methods, but it is a short list of 3 common strategies, and how effective 2FA can be against them.
Phishing is the most common hacking technique, and it doesn’t involve looking for salmon or mackerel—just sensitive personal or proprietary information. The strange spelling alludes to the nature of phishing attempts because something usually looks off.
Phishing often involves a hacker posing as someone else—a business or organization—with a request to troubleshoot some issue related to the victim’s account. Of course, to troubleshoot that information, the phisher will need to get the victim verified. Perhaps by collecting things like a password, username, or social security number for authentication.
Once the phisher has collected this sensitive information, they can then get what they really want. For consumers, that might be money. In the case of someone once embroiled in a romantic relationship with a narcissist, that might be hijacking their social media profiles (don’t laugh: romance scams are officially an FBI-categorized threat).
For a business, that might be some sensitive proprietary information like a secret recipe or customer data. Of course, these are not end goals in and of themselves but might have other end goals, like customer banking info, or a franchised blend of herbs and spices.
How to Combat Phishing Attempts
Phishing attempts are easy enough to spot with a little bit of vigilance. Emails will be sent from an unlikely address (e.g. one that does not contain the name of the business it purports to represent), or phone calls will be placed from a foreign location. The content of inquiry might also exhibit poor formatting or a lack of expected formality, or at least some laughable attempts to replicate it by quoting badge numbers. Unfortunately, phishing attacks are not only getting more common (with a 61% increase) but more sophisticated.
Fortunately, they can (in most cases) be easily foiled with two-factor authentication. Even if a phisher gets the username and password they’re looking for, they can’t complete the process of accessing business data if they don’t have that second piece of information—as a verification code sent to the right phone number, retinal scan, or a USB stick.
Cookie theft sounds quite innocuous and perhaps a bit chocolatey. But in terms of accessing business data, it’s not grandma’s baked goods. It’s about stealing cookies off of company devices. Cookies are small files of text that are used to store information. In a B2C relationship, that information might be about customer behavior.
But in both B2C and B2B contexts, cookies can also be used to store a username and password to provide a more streamlined login. Cookie thieves (as they’re called) can leverage a variety of tools like malware to steal cookies from a current or recent browsing session. The information contained in these cookies can then be used to access sensitive data.
To add to the headache, there is actually a black market for cookies, which can be resold. This market has proliferated threefold in recent years due to several factors, including the rise of remote workforces logging in to company platforms over unsecured networks.
This is especially true if company employees leave their web sessions active for long periods of time, for instance, if they are working on a particular application or just not interested in constantly having to re-authenticate themselves. Once the cookies are obtained, the information they contain can be used to gain access to proprietary information for things like extortion.
For instance, hackers attempted to extort Electronic Arts over 751GB of source code for the latest release of FIFA 21 after purchasing authentication cookies from a dark web marketplace called Genesis.
How to Combat Cookie Theft
The problem with cookie theft vis-a-vis two-factor authentication is that it can occur after the victim has already taken that particular step of verification and logged into their end destination. There are a few ways to mitigate cookie theft.
One includes using an HTTPS protocol for your website instead of HTTP. Which essentially means that it has an SSL certificate. In the case of cloud-based software your business is using, these companies will definitely be using this protocol to encrypt their cookies.
Another method is to shorten the life of the cookies in question, but that will necessitate more frequent authentication. In summary, cookie theft can actually circumnavigate the 2-factor authentication method, but there are other backend ways to keep sticky fingers out of company data.
A SIM card (or subscriber identity module) is a small chip card used in a mobile phone, which holds essential data like contacts. SIM swapping or SIM jacking is a form of identity theft when a cyber-criminal steals a mobile phone number and assigns it to a new SIM card on a different phone—like the one they are holding. Of course, this will necessitate calling the mobile carrier, impersonating the subscriber, and claiming that the original SIM card was lost or destroyed.
That’s not so easy, thankfully. Most mobile carriers will require a subscriber to verify themselves with an account-specific PIN and the last four digits of their social. But where there’s a will, there’s a way, as they say. And that way (for many cyber criminals) seems to be putting together the pieces of several large-scale data breaches.
For instance, an April 2021 data breach at Facebook released personal information from about 553 million accounts. You might not find that so significant. But what if you were in that 553 million? And you also happened to be in one of the several massive data breaches that happened in 2022?
It would be possible for criminals to begin putting some pieces of personal information together and making educated guesses about your PIN—your birthday, a spouse’s birthday, or a child’s birthday, for instance. There is not a decent chance that they could actually contact your phone carrier and assign your number to a different SIM.
How to Combat SIM Swapping
If you begin to notice your phone acting strangely, there’s a chance you might have been victimized. One way to proactively deal with this possibility is to manage your online presence.
Set your social profiles to private, and delete old accounts you no longer use, because they can become access points for gleaning personal information. Cybercriminals are getting savvier and more determined. While SIM swapping is not as likely as other forms of crime, it can be a way for criminals to get around 2FA.
So How Can I Secure My Business with Two Factor Authentication?
If your business is using subscription-based cloud-managed services for anything, there’s a likelihood that those companies will offer you the chance to use two-factor authentication. For instance, Mailchimp and ConstantContact are two marketing platforms that will allow you to activate 2FA to access your accounts. For internal applications, networks, or servers, you may need to find a security vendor who can provide a multi-factor authentication app.
Your business can also use 2FA to secure customer payments or for access to a customer-facing portal on your website. This can be an excellent way to mitigate payment fraud and identity theft, with larger implications of reducing chargebacks and digital liability.
Your business should be using 2FA on all of its applications, whether they are in-house or outsourced. And we recommend if you already have it, to not turn off two-factor authentication for any reason. As for what the future holds in terms of preventing cyber crimes, it seems very likely that biometrics will supplant the pin-code SMS method because this type of authentication is arguably the most difficult to hijack—but that’s a story for a different day.
Two-factor authentication is an extra layer of security that involves multiple authentication methods: knowledge, possession, and inherence.