What is 2FA?
Two-factor authentication (2FA) is a specific type of multi-factor authentication (MFA) that strengthens access security by requiring two methods (also referred to as authentication factors) to verify your identity. These factors can include something you know – like a username and password – plus something you have – like a smartphone app – to approve authentication requests.
Why is 2FA Important?
Two-factor authentication (2FA) is the foundational element of a zero trust security model. In order to protect sensitive data, you must verify that the users trying to access that data are who they say they are. 2FA is an effective way to protect against many security threats that target user passwords and accounts, such as phishing, brute-force attacks, credential exploitation and more.
Let’s say you use a username and password to complete primary authentication to an application. That information is sent over the Internet (your primary network). You’ll want to use a different (out-of-band) channel to complete your second factor. Approving a push notification sent over your mobile network is an example of out-of-band authentication.
So why does it matter? If a remote attacker is able to tap into your computer via your Internet connection, they can steal your password, and your second form of authentication — if both are delivered over the same channel.
Without your physical device, remote attackers can’t pretend to be you in order to gain unauthorized access to corporate networks, cloud storage, financial information, etc. stored in applications.
By integrating two-factor authentication with your applications, attackers are unable to access your accounts without possessing your physical device needed to complete the second factor.
What Threats Does 2FA Address?
The need for two-factor authentication has increased as companies, governments, and the public realize that passwords alone are not secure enough to protect user accounts in the current technical landscape. In fact, the average cost of data breaches today is over two trillion dollars annually. While 2FA protects against a multitude of threats, the most common threats include:
A traditional password can be used by anybody who gets their hands on it. If a user writes down their password on a pad of paper, for example, that password can be stolen to gain access to an account. 2FA, by contrast, validates the user with a second device after a password is entered.
Hackers will often send emails that include links to malicious websites designed to either infect a user’s computer or convince them to enter their passwords. Once obtained, a password can be used by whoever manages the hacking attempt. 2FA fights phishing by adding a second layer of validation after the password has been entered.
Hackers will often simply manipulate users into giving up their passwords. By posing as an IT professional at the user’s company, they can earn the trust of the user before asking for login credentials. 2FA protects against this by validating the location and IP of every login attempt after a password has been entered.
In a brute-force attack, a hacker randomly generates passwords for a specific computer until they land on the correct sequence. 2FA’s second layer of protection requires a login attempt to be validated before granting access.
Even if a user hasn’t written down their password, hackers can use malware to track and copy a user’s password as they type. Hackers track every keystroke and store the password to be used later. The second layer of validation in 2FA lets a user ensure that the login attempt is their own, even if their password has been compromised.
Frequently Asked Questions About 2FA
Who uses 2FA?
Two factor authentication is used across many industries that require user authentication and device trust, beyond usernames and passwords. 2FA technology is often championed by an organization’s security team, Chief Information Security Officer, or information technology team, but it affects departments throughout the business. Below is a list of the top five industries where 2FA is a crucial information security strategy:
Healthcare: Due to the incredibly sensitive personally identifiable information protected by hospitals and other healthcare organizations, two factor authentication is commonly used to secure user accounts (doctors, patients, administrative staff).
Finance: Financial institutions use 2FA to protect against data breaches and to comply with the growing security demands of users and auditors. The highly sensitive and valuable data protected by financial firms makes them prime targets for cyber criminals.
State & Federal Government: Both state and federal governments are under constant threat of cyber attacks. In response, governments are implementing two factor authentication in addition to traditional passwords. With 2FA, a hacker would have to capture an end user’s mobile device, even if their password is compromised.
Education: Educational institutions from elementary schools to universities implement 2FA solutions to protect the data of their students and staff. Students, teachers, and administrators log into sensitive web portals with 2FA in addition to the traditional passwords.
Law Enforcement: Two factor authentication is used by government agencies of all sized — from the FBI, and CIA, down to local police departments in order to protect sensitive data. Law enforcement administrators can confirm the location, IP address, and username of any user attempting to log into their networks. This is another layer of protection against potential external threats.
2FA protects against phishing, social engineering and password brute-force attacks and secures your logins from attackers exploiting weak or stolen credentials. This dramatically improves the security of login attempts. 2FA has also been shown to block nearly all automated bot-related attacks.
About 81% of confirmed data breaches in the Accommodations industry involved stolen credentials. – Source: Verizon 2018 Data Breach Investigations Report
Which authentication method is best?
We recommend push-based, U2F, and biometric authentication, because these make it very difficult for an attacker to pose as an authorized user.
Push-based 2FA: Most push-based authentications can’t be approved unless a user’s phone is unlocked. This requirement makes push-based 2FA more secure than passcode-based 2FA, which often delivers a code that can be seen on lock screens or other SMS-enabled devices. With push-based 2FA, simple security measures like a passcode or biometric identification go a long way, protecting applications with a layer of information only device owners would possess.
U2F: With U2F-based 2FA, users initiate an authentication request and then approve it by tapping a USB device attached to their laptop, desktop, or smartphone. Unlike traditional security tokens, U2F devices are tamper-proof. Each device is associated with only one user, preventing imposters from posing as a trusted user, even if the device is lost or stolen.
Webauthn: Like U2F-based authentication, Webauthn-based authentication requires users to approve access requests via a mechanism that’s attached to their device. Webauthn, however, takes this principle even further by tapping into users’ built-in biometric authenticators, negating the need for both passcodes and physical hardware. With Webauthn, the world of information security moves one step closer to true password-less authentication.
What’s the difference between 2FA and MFA?
Two-factor authentication (2FA) is a subset of multi-factor authentication. There are as many potential factors of authentication as there are ways to confirm a user’s identity (location, fingerprints, face, security keys), and any security protocol that involves three or more is considered MFA. 2FA is the most common and easily accessible subset of MFA that requires two factors of authentication.
How will 2FA improve my technical infrastructure?
2FA often reduces the need for device-specific or application-specific security tools, like MDMs. With 2FA, companies are able to protect a broader scope of information and technical environments, allowing them to consolidate and/or forego solutions that may not be adding to the overall security landscape. Reducing total cost of ownership is an ongoing initiative for many companies, especially when it comes to IT, and protecting more information with 2FA can drive progress toward that goal.
Can I use 2FA in a hybrid environment?
The short answer is: “yes.” Most companies need to protect both cloud-based and on-premesis applications, so it’s smart for 2FA vendors to accommodate both types.
However, that doesn’t mean all 2FA vendors can protect all applications. Some are tailored to specific productivity tools or require additional drivers or software to protect a greater breadth of information.
How do I make sure my users keep their devices updated?
Rigorous device health standards are an essential part of any effective security framework. To truly be secure, every single device that requests access to an application should meet your organization’s security standards. But depending on the complexity of your security protocols, it can be difficult to ensure every device has the latest operating system, has screenlock enabled, is properly encrypted — the list goes on.
Some 2FA solutions build in the option for device health checks, so administrators can warn users that unless they update their software or change their device settings, they’ll be unable to access the services they need. Several self-remediation features are designed specifically to not only warn or block users based on device health, but to help users comply with security regulations without needing to get an IT professional involved.
The easier it is for users to meet security standards, the more likely they are to keep their devices compliant — saving administrators a lot of headaches over time.
What if a user loses their mobile device?2FA relies on users to have a device with which to authenticate. If that smartphone or laptop is lost or stolen, there’s a heightened risk that unauthorized entities will be able to access your important data. So, generally, users should be aware of their devices’ locations at all times, and they should be cautious about letting others use their devices.
That’s not a security guarantee, though — we’ve all lost (or thought we lost) a device or two somewhere along the road. It happens. Fortunately, 2FA technology can actually make it easier to protect the information to which those devices have access. Security solutions that install directly onto users’ devices (MDMs, etc.) can often lock or shut down devices remotely, protecting mission-critical information even when a user doesn’t physically have their device with them. Users can easily self-enroll in 2FA via an app on their devices, so no matter where in the world they travel or what technology they use, your information stays secure.
Can I limit access to some applications but not others?With a good adaptive authentication solution, yes! And as the security industry evolves, it becomes ever more important to do so. Remember, the goal of a security policy is to limit access to as few people as possible — and that concept applies at the application level, too. To truly reduce the possibility of a breach, each user should be able to authenticate to as few applications as possible, and their level of access should be based on the information they need to access.
What is a user access policy?
A user access policy is a specific set of rules that determine whether or not a user can access an application. For example, your company might have a policy that only users with a certain level of security clearance can access mission-critical information. A good 2FA solution will allow administrators to set these rules granularly, ensuring that only the right people, with the right devices and the right credentials, are accessing each individual application.The ultimate goal of a user access policy should be to grant access to as few users as possible. This means thinking critically about very general authorization parameters. It’s likely that some applications will require more stringent protection than others, and that some devices will be more trustworthy than others — so access policies should take these factors into account. For example, applications that contain sensitive personal information may require a user to have both the correct security clearance and have their device firewall enabled. In contrast, collaboration tools like calendars may be accessible to more users and may not require that users’ devices meet such specific criteria.
What is adaptive authentication?
The premise of adaptive authentication is that users circumstances are constantly changing — they move between networks, they change their device settings, they require additional application access, etc. — so authentication rules should constantly be adjusting to keep up.
A good adaptive authentication solution will allow users to set risk-based access policies over several dimensions:
By user or group of users and their roles and/or responsibilities.
By authentication method. Allow authentication only via approved methods. For example, users authenticating via push notification are granted access; users authenticating with SMS are not.
By application. For example, a company might want to enforce the use of the more secure MFA methods (push notification, U2F, etc.) for high-risk applications and services.
By geographic location. Restrict access to company resources in any geographic location.
Set conditional policies for certain locations. For example, a company may want to require 2FA in certain locations, but not in others.
By network information. Where the user/device is coming from (set of IP ranges); block authentication attempts from anonymous networks like Tor, proxies and VPNs.
Because adaptive authentication is only becoming more and more important, the best 2FA providers make it easy to set and monitor security policies based on any of these dimensions — and with an intuitive administrator dashboard, administrators can do it all from a single, central control panel.
How does 2FA protect BYOD?
Open wifi networks: 2FA protects against attempts to steal or phish your username and password via an open wifi network.
Man-in-the-Middle attacks: 2FA doesn’t allow hackers to spoof push notifications to your personal device even if your password is compromised by a man-in-the-middle attack.
One password across many accounts: 2FA gives you an added layer of security via push notifications even if you have used the same password across multiple accounts.
Malware email attachments: Even if you fall prey to malware attachments, you can protect your login credentials by confirming every login attempt accessing your accounts.
Cloud storage: 2FA gives cloud users the ability to validate every login attempt with their personal devices, no matter where in the world they are. This becomes chokepoint that organizations can use to secure their data in the cloud.
How does 2FA work when my users are traveling?
In most cases, 2FA should work exactly the same way when you are traveling, as it would when you are at home. You enter your password, validate the login attempt with your push notification, and hit accept. There are two situations when two factor authentication won’t work when traveling, however:
First, you will not be able to receive push notifications if you lose cell or wifi connection while traveling. Some wireless carriers may not have service in the area you are visiting, so be sure to confirm so before you travel.
The second issue that may cause 2FA to not work while traveling is if you lose your phone. Even with your password and username, you will be locked out of applications if you cannot receive a push notification with your phone.
What is zero trust, and how is 2FA related?
The zero-trust approach to security positionss that location-based trust is no longer enough to prevent unauthorized access to applications and information. The traditional “perimeter,” defined by known networks and environments, is being negated by BYOD and remote work — in the modern workplace, employees expect some freedom to work from different locations and use the devices they’re most comfortable with. The zero trust model addresses these potential security issues by establishing trust for every access request — regardless of location. It enforces adaptive controls, and continuously verifies trust. Trust levels are dynamic and change to adapt to your evolving business. This approach can help prevent unauthorized access, contain breaches and reduce the risk of an attacker’s lateral movement.
We can help businesses secure their workforce using a zero trust approach. This model can seem complex, because it up-ends traditional perimeter based security — but achieving zero trust can be done in just 5 steps:
Establish Trust in User Identities
Gain Visibility into Devices & Activity
Ensure Device Trustworthiness
Enforce Adaptive & Risk-Based Policies
Enable Secure Access to All Apps