Security gurus have long recommended the use of two-factor authentication as a key method of improving the security of your organization’s most critical information. But more than 40 percent of companies continue to run single-authentication environments, in which employees attain network access by simply entering an approved user name and password.
Two-factor authentication adds a second layer of verification to the log-in process, requiring users to have two of the following three types of credentials to get inside:
- Something they know, such as a password or PIN.
- Something they have, such as a smart phone or token fob.
- Something they are, which would rely on a biometric scan of an iris or fingerprint.
You probably used two-factor authentication the last time you filled your car’s gas tank. The pump display directed you to slide your credit card into the slot (something you have), then asked for your zip code (something you know).
Don’t be fooled into believing challenge questions provide a useful second factor. Entering your password, then the name of your first-grade teacher, then your favorite band in high school represents something you know, something else you know, and then some other thing you know. (Although I wouldn’t brag too loudly about being such a Creed fan.)
To be sure, 2FA isn’t foolproof. RSA Security, a groundbreaker in the use of tokens for IT security access, was itself famously hacked in 2011. But pointing to the RSA breach as a valid reason to ignore 2FA is like saying you had an uncle who smoked cigarettes and lived to be 90.
Anything that makes it harder for a hacker to get in represents an improvement in the security of your network – especially in an environment in which three quarters of successful network incursions are triggered by the actions of employees. By making a would-be intrusion more difficult, you are shutting out both the least sophisticated and the most opportunistic of cyber attackers. That’s a large subset of the criminal element you’ve just eliminated, and represents a good start.
But it’s only a start. Because when it comes to cybersecurity, everything you do matters.