Two-Factor Authentication: What Is It, and Do I Need It?
It feels like the list of potential cyberthreats to your business are never-ending. You put the basic safeguards in place: firewalls, password policies, anti-virus protections, and so on. Beyond that, your cyber risks are in the hands of fate. Sure, anything is possible, but other priorities need your time and attention.
We get it. You're inundated with requests for resources. IT requests, specifically cybersecurity requests, always seem to play on your fears and come with a worst-case scenario story of a business just like yours that lost it all in an attack. As a leader, you're focused on growth and moving forward. You can't get hung up in every what-if scenario, or you'd never get anywhere. Making fear-based decisions makes you feel stagnant, like you're investing in maintaining the status quo when you'd prefer to invest in moving forward. You know cybersecurity is important, but so is everything that comes across your desk, and there are only so many resources to go around.
As a managed service provider, Innovative constantly asks business owners and executives to make investments in cybersecurity. Maintaining adequate, secure, and up-to-date networks is the only way we can confidently commit to our service level agreement. But as business advisors first and IT people second, we know how many priorities are competing for your limited resources.
Even lifelong IT guy and lover of all things 1s and 0s, Jason Rappaport, knows, as Innovative's President and CEO, exactly how difficult it is to prioritize security investments over revenue-generating priorities like inventory or staffing.
But not all security improvements come with a hefty price tag or continuous replacement cycles. I sat down with Jason to learn about what he describes as one of the easiest things you can do to reduce your security risk: two-factor authentication (2FA). And here's what he had to say.
What is two-factor authentication (2FA)?
Two-factor authentication is precisely as it sounds. It's two methods of verifying your identity.
When you sign into your bank account, and the login screen prompts you to enter a code from a text message, that's two-factor authentication. Or, when you log into Facebook on a new computer, and you get a "new sign-on detected" notification on your mobile device requesting you verify the sign-on is valid, that's two-factor authentication.
The first method of authentication is almost always a password. But there are several options for the second authentication method, like the text message and push notification in the above examples.
Before we move on, it's important to note that you'll sometimes see the terms two-factor authentication (2FA) and multi-factor authentication (MFA) used interchangeably. Multi-factor authentication just means you can use two or more methods to verify your identity. Technically, all two-factor authentication is multi-factor, but not all multi-factor is two-factor authentication. To keep things simple, we'll focus on two-factor authentication in this article.
Why do you need two-factor authentication?
Two-factor authentication exponentially increases your security. According to Jason, it is one of the easiest things you can do to significantly reduce your risk of unwanted access to your systems and data.
There is no scenario where 2FA is a wrong choice or a bad fit for your business. But, while 2FA is a good idea for any business, it's even more critical or possibly required for other businesses.
Two-factor authentication is likely required for your information systems if you are in any of the following industries or comply with the following regulations:
- Healthcare and HIPAA Covered Entities.
- Payment Card Industry (PCI) and businesses that maintain payment information.
- Finance and banking industry.
- Defense and government contractors.
In full disclosure, not all compliance regulations specifically mention two-factor authentication. However, they all require documented policies and practices to safeguard passwords, restrict access to data, and ensure access is granted only to authorized users. The reality is that usernames and passwords alone are no longer good enough to meet that standard. You must have another layer, or more, of protection from unauthorized users accessing your systems.
In addition to industry requirements, some cyber liability insurance policies now require two-factor authentication to maintain coverage. Even when it's not required for coverage, two-factor authentication is a factor in determining cyber insurance premiums and deductibles. Essentially, insurance providers expect a best effort from you on the cybersecurity front. Ignoring best practices like 2FA can lead to denial of coverage, increased premiums, and increased deductibles. Not to mention, depending on how you answer the questions on your insurance application and renewal forms, you could even see claims denied in the event of a loss due to a cyberattack.
Insurance companies know that if you're using only usernames and passwords, it's only a matter of time before someone hacks you. That makes your cyber risk and the cost of cyber insurance coverage exponentially greater.
How to roll out two-factor authentication in your organization.
By now, we hope you're on board with two-factor authentication as a good security practice. Now, let's walk through the process and best practices for rolling out 2FA in your organization.
Jason was pretty candid in his response to this question.
"People hate it," he said.
New 2FA policies make people change, and people hate change. They already have so many passwords they're required to change regularly. Now, you're adding steps and making it even harder to do something.
Related article: Implementing Technology Change in Your Business
This change must start from the top. You must have management and leadership support.
Jason suggests implementing 2FA in the following steps:
- Brainstorm and prepare for what/if scenarios. An example might be thinking about your company's policy and culture around personal cellphone use. What if someone doesn't want to use their cellphone for authentication. Do you have policies in place to require it or backup options available? What if someone loses or forgets their cellphone? Don't worry. There are options (hardware fobs) to solve these problems.
- Communicate to your team what you're doing, why you're doing it, what users can expect, and when. The last thing you want to do is create a giant headache by rolling out a change that no one is prepared for, and suddenly no one can sign into their email all at once.
- When possible, start with a group of power users or individual departments. Or maybe start with one platform. In some cases, you'll have to roll out 2FA to every user at once for things like VPNs and Microsoft365 (email, OneDrive, Office365, etc.). In those cases, do it one platform at a time.
Who does what?
Your IT administration will turn on and configure two-factor authentication in each individual platform. As your outsourced IT administrators, Innovative administers 2FA authentication for managed and co-managed services clients that choose to add two-factor authentication to their services.
Depending on the type of 2FA used, this may be the end of the process. SMS text messaging, for example, requires no additional configuration beyond collecting each end user's cellphone number and communicating with users when the additional text message verification begins.
However, Jason stressed that SMS text messages are not encrypted and are susceptible to hacking.
A much more secure authentication method than text message is rotating, encrypted security keys. These keys are generated by an encrypted authenticator and provided to the user through a mobile application, push notification or secondary hardware token.
Innovative uses the Duo Authenticator app for our team and our clients, but there are many different authenticators on the market like Google Authenticator, Microsoft Authenticator, Authy, etc.
IT administrators work with each end-user to have them download the authenticator app or distribute hardware security tokens. Depending on your end-users' comfort levels and the type of authenticator you choose, IT administrators work with each user to help them configure the authenticator for each individual system or centrally configure the app for users through an administration portal. More savvy users may only need basic email instructions, while other users need face-to-face support from the administrators.
Instead of personal mobile devices, hardware security tokens are an option for users or organizations that cannot use cellphones for authentication. These tiny pieces of hardware are similar in size to a USB thumb drive and supply the encrypted security keys through a digital display or directly to the device, often through a USB or Bluetooth connection.
What does two-factor authentication cost?
Two-factor authentication costs might be as simple as the time of your IT administrator but could also include the cost of hardware tokens and subscriptions to paid authenticator applications.
Innovative managed services clients pay a project fee to set up and configure two-factor authentication across all systems. The cost of this project varies greatly from client to client.
The initial cost depends on things like:
- The number of integrated systems involved.
- Amount of end-user communication you will handle internally.
- Number of users.
- The ability for the project to coincide with other planned upgrades and migration projects.
For example, when two-factor authentication coincides with a project that touches every end-user, like a Microsoft365 migration, the initial cost is reduced significantly.
Innovative clients also pay a monthly fee starting at $6 per month per user, depending on which version of the authenticator application necessary. This fee includes the Duo Authenticator app subscription and additional end-user support and maintenance of two-factor authentication settings across all your systems. This cost is relative to the size and scale of your organization. Larger organizations are likely to see a reduced cost per user, while one or two-person businesses may pay more.
Related Article: Find out what types of businesses work best with Innovative?
If you're not an Innovative customer, you can subscribe to any authenticator of your choice, including some that are available for free. Keep in mind that free authenticators require users to connect the authenticator app to each system themselves and require them to find and open the app on their phone each time they need to enter the security codes. The 10 to 20 seconds it takes to find and open the app starts to add up over the day. Plus, free authenticators usually require more one-on-one attention from IT resources to help users configure their authenticators with applicable systems.
Paid authenticators typically have options for push notifications to end-users and for IT staff to manage configuration centrally. What you save in a monthly fee with a free authenticator, you may lose in your IT resources' time and employee frustration.
Other costs include any hardware security tokens necessary for employees who can't use mobile devices. Hardware security tokens typically cost around $50-$100 depending on the type of token and technologies used.
What to look for in a 2FA application and why Innovative chose Duo.
Innovative selected Duo as our authenticator application of choice due to its backend cloud portal that allows us to manage and configure 2FA for multiple clients at scale effectively. Duo integrates seamlessly with the Cisco/Meraki networking infrastructure already used by the majority of our clients. You should evaluate all options to find the solution that best fits your network and IT administration workflows.
We also prefer the push notifications available through the paid Duo Authenticator over the free authenticator applications' in-app codes. As more platforms enable 2FA, the 10 to 20 seconds it takes to log into your phone and find the correct code can add up.
Jason suggests choosing an authenticator application with the following features:
- Ability to use hardware tokens as well as software applications.
- Ability to centrally manage all users and devices.
- Ability to support all your applications (VPN, email, ERP systems, CRMs, etc.).
- SMS text message and phone callback options for use when internet or mobile data service is unavailable.
- Bypass codes available for network administrators and IT help desk to assist users having difficulty logging in.
- Ability for IT administrators to centrally disable tokens and devices in the event they are lost or stolen.
OK, What's Next?
OK, so you get that two-factor authentication can dramatically reduce your organization's security risk and possibly even your cyber liability insurance premiums. Where do you go from here?
Remember that leadership and executive support is essential to your successful adoption of two-factor authentication. Start by gaining buy-in from all leaders and talk with your IT administrators. Ask them what systems they'd recommend configuring two-factor authentication for first. Then, collaboratively come up with a strategy for slowly and strategically communicating this approach with your end-users.
No one likes extra steps. This might cause a little heartache at first. The more communication you have with your stakeholders, managers, leaders, IT, and end-users, the more successful you'll be. In the end, you'll sleep easier knowing your systems and data or more secure, and your organization is less susceptible to an attack.