Two Factor Authentication: A Must-Have for Enterprises
By Jim Lundy
Two Factor Authentication is a term you will hear a lot more about in 2015. Microsoft made some news last week with its upcoming rollout of Windows 10.
The thing that caught our attention was not Universal Apps but the fact that Microsoft is starting to really get focused on security. What we noticed is that Microsoft is adding Two Factor Authentication (2FA) to Windows 10. This blog is about Two Factor Authentication and the need for enterprises to start using it.
I had a conversation with a number of clients about security over the last two weeks. Some talked about recent attacks that had hit either their enterprise or their employees. After listening to them, I brought up the need for Two Factor Authentication (2FA) as the simplest way to protect against get attacked by cyber criminals.
Two Factor Authentication Is a Must-Have for All Applications
Everyone is busy. But the reality is that cyber attackers are busy, too. They’re hard at work trying to break into your user’s PC or mobile device—which in turn will get them into your network.
Two Factor Authentication makes it much harder for cyber criminals to get in. In fact, in many cases, it stops them cold. Why? Because most of the time, they may be able to guess or steal a password, but they are not in possession of the user’s mobile device.
Two Factor Authentication: Vendors Back It
Some leading cloud providers, such as Salesforce, have had 2FA enabled on their main services for several years. Microsoft has had 2FA on Office 365 admin access since 2013, and they added 2FA for everyone else last year. That said, Yammer, which is now owned by Microsoft, does not use 2FA. Google has also had 2FA for several years.
The bottom line here is that vendors are still catching up to the reality that authenticating users is the best security approach.
The Reality Today: Many Firms Have Not Set Up Two Factor Authentication
There are two things that enterprises must realize: Cyber attacks will increase and so will the complexity of the attacks. Enterprises can feel overwhelmed. “How can we stop them?” is often the comment I hear in regards to security threats. My answer is to start with the basics. Make all applications 2FA-enabled. It may take work for user applications and testing.
As a real world note, we have had 2FA on our CRM cloud application since 2012. It works well and is not intrusive. That said, it does not verify a mobile user. Separately, we have been testing 2FA for Google and it can get a little tricky for users that have more than one mobile device.
So, the lesson here is that it does take some testing and it will require training to educate users.
Audit Your Suppliers for 2FA
As enterprises start to understand the severity and volume of attacks they are facing, 2FA will become a common way to access systems. Check your provider to see if they offer 2FA. If they do not, you will have to take steps to add it yourself.
This site has a great list of sites and software providers that offer 2FA. Notice that many still do not support 2FA. For consumers, this should be enough to cause you to change banks.
2FA: Start with IT Server Access
For IT, it starts at home. Systems administrator passwords—access to the applications themselves—must be two factor authenticated. The problem is, a surprisingly large number of these passwords are not. In fact, many IT administrators use the same password on many of their servers.
Sounds crazy, right? Go do an audit. You may be surprised. There are many firms that can help you get moving on 2FA. TwoFactorAuth has a great list here.
After getting your main applications protected, make sure you roll out 2FA to your users. Realize that 2FA works differently across apps (it depends how your large providers have implemented 2FA). Just doing it for email requires work and testing. For example, executive administrative assistants that access their executives’ calendars will often have to verify their access with their boss.
SSO for Access and Identity Management
So, for any medium or large organization, you are better off rolling out Single Sign On (SSO) to keep things simple. Our experience with SSO providers (One Login, Ping Identity, Okta) is that their ease of use varies widely.
Don’t just shop them on price. Look for the ease of configuration. Note that even with SSO, when a user logs in, that too should have a 2FA verification step turned on. Otherwise, a hacker that gets your SSO password, has access to everything.
The world has become a battlefront for cyber attacks, and with the prominence of this threat, security can be an overwhelming issue. Part of this comes down to ease of use—even if a system is extremely secure, users can’t work and they will complain. It’s all about striking a balance, and 2FA can help with this.
Two Factor Authentication is a must have in 2015 and it makes it much harder for attackers to hurt your enterprise or your associates. Don’t wait to start this. Start now.