Each day, more and more of our personal information has begun to live on the internet. As this information has moved from our desktops to the cloud, so has the focus of malicious actors. Cloud-based storage such as Google Drive and Dropbox, online photo albums, social media accounts, internet banking services, etc. hold the keys to our memories, financial data, and other sensitive materials.

Scammers and other criminals are constantly developing increasingly sophisticated means to access that material without your permission through such methods as brute-force hacking, viruses, or more complex approaches such as phishing and ransomware.  Most of these attempts can be defended against with a few simple steps and a little vigilance: using strong passwords, not handing out personal information, verifying the legitimacy of links or websites you visit, and enabling two-factor authentication.

What is two-factor authentication?

While the term may sound technical, the idea behind two-factor authentication is simple:  there are two secure pieces of information a user must provide in order to access an account (simply providing a password would be an example of ‘one-factor authentication’).  

It’s likely that you’ve been using forms of two-factor authentication all along without realizing it.  For example, many online banking services will request not only a username and password, but also some unique PIN when trying to access accounts or make transactions.  The DMV may require multiple forms of identification to prove your identity when obtaining a driver’s license.  

Many online services will include ‘security questions’ you must answer in order to make changes to account information.  The underlying principle is the same - it may be easy for a criminal to gain access to one form of authentication (such as a password), but it becomes much more difficult for them if they must obtain more than that.  This is especially true if the second factor is randomly-generated and/or is tied to a specific physical device.

Google Apps and other services

For online business services such as Google Apps, the two-factor authentication method requires ‘something you know and something you have,' the former being your username and password. For ‘something you have’, this usually involves entering a randomly-generated passcode sent to a physical device you carry with you - a physical token, a device such as your smartphone, or a certified security key (such as a USB stick) that you must plug into your computer when attempting to access the account.

This method means that, even if someone gains unauthorized access to your username and password, they still cannot log in to your account unless they also have access to the physical device.  Obviously, this makes unauthorized access to your data nearly impossible - though it also means you may become locked out of your account if you leave your phone or security key at home (most services running two-factor authentication have thought of this, and can provide a list of ‘emergency keys’ you can generate and keep with you for this exact situation).

This talk of carrying a physical key device and entering a second password may sound inconvenient, but bear in mind that convenience is the cost of increased security.  Making the account more difficult for you to access also makes it exponentially harder for unauthorized persons to do the same.  

Nodal recommends enabling two-factor authentication at all of our clients, especially for business accounts that may contain sensitive material such as trade secrets, contracts, bids, and payroll and banking information.

Google Apps/G-Suite administration

Most of our clients are already using Google Apps/G-Suite services to manage email, calendars, document management, and more. This makes maintaining security on these services extremely important: multiple users accessing your business data means multiple points of entry for criminals.  We suggest enforcing user two-factor authentication as general company policy, for staff and any freelancers who will regularly be accessing your G-Suite data.

Two-factor authentication functions on a user-by-user basis - having individual users sharing a passcode or physical key generally defeats the purpose.  However, this creates a possible headache when a user leaves your employ, as they may take their smartphone with them if they were not using a company-issued device.  They will not be able to access the account if the password is changed as part of standard off-boarding, but you may have concerns that the account will become inaccessible if that device leaves the facility.

Fortunately, G-Suite’s administration tools allow you to manage the security settings for all users associated with your business account.  The administrator can review security settings on a user-by-user basis, determine if two-factor authentication is enabled on the account (this must be done by the user, so bear this in mind when enforcing company policy), and, if needed, revoke and disable two-factor access to the account.  That way control of the account remains with the business for the purposes of maintaining email records and other long-term auditing and archiving needs.

Conclusion

Implementing two-factor authentication for critical business (and personal) accounts creates yet another barrier to entry for criminals looking to profit off of your data.  While the thought of managing a separate device may seem inconvenient, bear in mind that that is the entire point of security systems - to make your accounts more difficult to access.  A minor inconvenience when logging into your online accounts is preferable to the major headache of having sensitive personal or business data compromised.

For a deeper dive into two-factor authentication and its uses, SecurEnvoy has a good article on the subject.  Feel free to get in touch with us if you have any questions!