Fortunately, there is an option called two factor authentication (2FA) for better safeguarding your online accounts and the online accounts of your employees.
Before we get into details about two factor authentication, here are three pieces of password advice that you’ve probably heard many times before. They bear repeating.
1. Use a different password for every online account.
2. Store your passwords in a password database tool instead of in a spreadsheet or document. Popular password applications include:
These vendors also offer business versions for sharing passwords among team members.
3. Consider using a passphrase rather than a password. Passphrases are more secure and easier to remember than a common strong password format such as ipz2!az8k%0h?.
Strengthening Login Security With Two Factor Authentication
Two factor authentication (2FA) is also known as 2-step verification. In general, 2FA means that you are provided with a one time use code that needs to be entered if you are logging into an online account from an unfamiliar device.
If an application offers a two factor authentication option, consider taking advantage of it. Examples of popular cloud applications that offer 2FA are G Suite, Office 365, Salesforce, LinkedIn and Amazon.
Even though it may seem logical that having 2FA on an account reduces the importance of a strong password, it’s still a best practice and a good habit to use strong passwords on all online accounts—regardless of whether they have the additional protection of 2FA.
1. Email Two Factor Authentication
Email is the most convenient form of 2FA, since emails can be accessed from a variety of devices.
While much stronger than a password alone, email 2FA can be exploited by a phishing attack, as demonstrated in this video.
2. Text Two Factor Authentication
SMS text 2FA is more secure than email 2FA, since the verification code can normally only be accessed from one place—your mobile phone.
Of course, if you are trying to log into an email account such as G Suite or Office 365, an emailed verification code is a “Catch-22” and therefore not a viable option.
If you don’t happen to have your mobile phone with you, there are additional options, which are covered below.
There have been reported cases where someone’s mobile SIM card has been spoofed or swapped so that the hacker could receive a copy of the 2FA code that was sent out as a text message.
3. Phone Call 2FA
A telephone call to a mobile or landline number is equivalent in security to a text message. An automated voice reads out a verification code.
4. Backup Codes
Backup codes are designed to be printed out and carried in a wallet or stored securely at home. A code can be used for verification when a mobile phone is not available, for example.
5. Mobile Authenticator Application (Software Token)
A still stronger level of 2FA is the use of a mobile authenticator app like the ones offered by Salesforce and Google.
Using location services to set up trusted locations such as “office” and “home” greatly reduces the possibility of device spoofing.
6. Physical Security Key (Hardware Token)
The strongest level of 2FA online account protection and the best phishing attack prevention is a physical security key.
The key is a small device that can be added to a keychain and then plugged into a computer’s USB port. This is as close to 100% online account protection as is currently possible.
The Yubikey from Yubico works with many popular applications.
Google is coming out with a similar product to Yubico’s called the Titan Security Key. This key will work with G Suite and Google Cloud. It also will have a bluetooth connection option.
Update: The Titan Security Key is now available in the Google Store.
A comprehensive list of applications and what types of 2FA they support, if any, can be found at Twofactorauth.org.
Strong, unique passwords coupled with 2FA will make your and your employees’ online accounts more secure.