2019 was a banner year for cybersecurity threats in both quantity and complexity. In the first half of the year alone, data breaches exposed 4.1 billion sensitive records, and more hackers have levied successful attacks against “unhackable” systems like Apple’s OS. Large scale security breaches generate a lot of buzz in the media, and there’s a lot to learn from events like these.
For everyday users, hearing about the frequency of data breaches should solidify the point—cybersecurity threats are not a far-off concern. If it can happen to Capital One or the United States Department of Defense, it can happen to a smartphone. For managed services providers (MSPs), the main takeaway is it’s becoming more challenging to secure customer data in an increasingly digital world full of cybersecurity issues. With the advent of IoT technologies, more sophisticated ransomware, and new APIs, MSPs need the right tools to secure their customers’ IT infrastructure. Two-factor authentication can keep end users safe from data breaches on a day-to-day basis.
What Is Two-Factor Authentication?
Two-factor authentication supplements effective password management by adding another layer of security to an account’s login procedure. Two-factor authentication is a subsection of multi-factor authentication (MFA) that requires two distinct terms to grant a user access to a certain account.
Two-factor authentication exists to strengthen passwords, not to replace passwords altogether. Rather, it helps strengthen password management best practices to keep up with today’s cybersecurity threats. The average person must remember dozens of passwords to properly access their accounts. To make recall a little easier, they might go against password best practices and reuse passwords across a few accounts. Browsers like Google Chrome offer services that will auto-generate “strong” passwords that are harder to hack, but a determined hacker can still crack those passwords with enough time and resources. Two-factor authentication works to add another layer of protection in these scenarios.
Two-factor authentication isn’t available for all devices just yet—it’s primarily used with laptops, tablets, smartphones, and select apps like mobile versions of college websites.
How Does Two-Factor Authentication Work?
Two-factor authentication requires two out of three types of credentials before it will grant access to a user’s account. The standard requirements are:
- Something the account owner knows—a numerical password, a personal identification number, or a pattern drawn out on the device’s touch screen.
- Something the account owner possesses—usually a phone, but also key fobs.
- Something the account owner has that is unique to them—a fingerprint, voiceprint, or Face ID.
Using two-factor authentication, a standard login process might go something like this: the user will provide the correct password associated with the account. Once the user successfully enters the password, a prompt will appear to ask the user to further confirm their identity by entering a random security code sent to their phone via text, email, call, or push notification. This security code serves as successful identity authentication. The user is then granted full access to the account.
It’s true two-factor authentication solutions add another step to the user-experience and inherently slow down the login process, but that’s a small price to pay for an extra layer of security.
Comparing and Contrasting Two-Factor Authentication Solutions
Not all two-factor authentication methods are created equal. Here’s a walkthrough of the three most common two-factor authentication examples and the pros and cons of each.
- Code Texts or EmailsMost connected device users are familiar with this approach to two-factor authentication. Whenever they log into one of their accounts, they will receive a text or email with a randomly generated one-time-use code that will grant them access to their account. The good news is this method doesn’t require a high-tech phone or app to use. There are also options to have the access codes read aloud via robocall, which is a good alternative for the visually impaired or inexperienced users who find it difficult to make their way around apps.
Unfortunately, text or email authentication comes with its own variety of security issues. SMS-based two-factor authentication is vulnerable to all the technical difficulties that plague normal cell phone use like poor connectivity, carrier issues, and roaming. If you’re in an area with less than stellar cell phone reception, the code might not get through—which can make it difficult to access accounts while traveling.
Code texts and emails are also the easiest for hackers to crack. Phishing attacks are at an all-time high, and texts are the most likely target. “Porting” is when cyber scammers trick users into entering their two-factor authentication access code into a fake website and then clone their phone number. Once that happens, the hacker can intercept future codes and gain access to their personal accounts.
- Phone AppsPhone app authentication is a step up from SMS or email. With this method, the user downloads a mobile app like Google Authenticator that can read QR codes. The user then scans the QR code for the website they want to access, and Google Authenticator generates a code to send to their smartphone. Once received, the user inputs both the code and the regular password to gain access to the site.
This two-factor authentication solution reduces some of the technical issues of code texts or emails because it doesn’t require internet access. And since the access codes are generated directly on the device, it’s harder for hackers to intercept them or launch phishing attacks. It’s also faster to input security codes using push notifications, which is something MSPs should consider if they want to offer customers the least obtrusive two-factor authentication experience.
Finally, many users also feel more secure with phone apps because most of them will send out alerts about attempted logins detected on a device. If the user didn’t authorize the login attempt, they know a hacker is trying to gain access to their account and they can take preventative measures.
However, if the user’s phone dies or they lose it and don’t have copies of the QR code saved elsewhere, there’s no way to get it back in a timely fashion. Push notifications also require a cellular connection, which might be problematic if your clients are trying to access their accounts in a subway tunnel or anywhere else where a cellular data connection could go in and out. Finally, it’s important to keep in mind that a user needs to own a smartphone in the first place to utilize phone app authentication.
- Physical Security KeysPhysical security keys are as secure as you can get when it comes to two-factor authentication for small businesses. This method requires the user to insert a physical key into the device to verify their identity—instead of relying on a numerical code. An unknown cyberattacker thousands of miles across the globe won’t be able to reach into your customers’ pockets and retrieve their access key (no matter how adept of a hacker they are). You can buy quality keys for as little as $20, but make sure you purchase one that’s in compliance with FIDO2 security standards.
However, one downside to physical security keys is your customers must make sure they always carry it with them to access their accounts. This can be a hassle and leaves users vulnerable if they lose or misplace their keys. Since physical two-factor authentication adoption has been a little slow, they’re currently only compatible with devices with standard USB or USB-C ports. iPhone users will have to wait until a Lightning version debuts.
Two-Factor Authentication Best Practices
Regardless of which two-factor authentication solution you choose for your clients, what matters most is that you pick one. If you connect your account to the internet, you should assume a hacker will try to get into it at some point. This goes double for MSPs with customers who handle highly sensitive information on a day-to-day basis. Two-factor authentication holds cybersecurity to a higher standard and should be a prerequisite for companies dealing with sensitive data.
After implementing two-factor authentication capabilities on their customers’ devices, here are some more authentication best practices MSPs can employ to enhance the end user experience.
- Implement two-factor authentication across the entire suite of devices, not just for certain devices or accounts.
- Customize two-factor authentication messages so your customers will be able to recognize spam messages more easily.
- Enable push notifications.
- Make authentication passcodes longer than six digits.
- Keep an eye on time drift, synchronization, and validity windows.
Is Two-Factor Authentication Hackable?
Two-factor authentication is hackable to the extent all devices or accounts connected to the internet are hackable. Bad actors have successfully cracked two-factor authentication in the past, but it is extremely rare. It’s much more likely that human error will leave accounts vulnerable. The best way to prevent cybersecurity threats on your customers’ accounts is to educate them about the latest threats, teach them about the dangers of social engineering, and have a comprehensive backup system in place to salvage data in the event of an attack.
If you have a variety of customers with different backup solutions, it wouldn’t take much for things to get out of hand. With SolarWinds® Backup, MSPs receive gapless server, workstation, document, and application backup from a single dashboard. Check statuses and schedule backups with ease. By keeping all your backup needs in your own, single-tenant cloud, Backup reduces your hardware costs and makes your cloud services work harder for you. SolarWinds Backup also features a variety of auto-recovery and archiving options to ensure your customers never lose a single file.
Interested in learning more about how to securely back up your servers and critical applications? Explore our product suite to see how you can prepare for potential disasters.