Cyber Insight

We are being encouraged to adopt two-factor authentication (2FA), the process of adding an additional layer of security when accessing accounts and services online. It requires an additional login credential – beyond just the usual username and password – to gain account access. Getting that second credential requires a second device; your cell phone, for example.

With 2FA, your on-line transaction and your account are protected by both your password and your phone which is used to verify your actions, usually by a one-time pin (OTP) code which is sent via text, voice call or mobile app.

Many millions of users around the globe now use 2FA to guard against the activities of hackers and cybercriminals.

In the US, the National Cyber Security Centre (NCSC) recommends 2FA for “high value” and email accounts. It is increasingly obvious, notes the NCSC, that email provides a vulnerable ingress route for cybercriminals to reset passwords on other accounts.

In the UK, the finance sector has acknowledged the increasing propensity for cyberattacks linked to online transactions and has worked with regulators to introduce what they call strong customer authentication (SCA) in this high-risk sector.

Verison’s 2021 Data Breach Report emphasises that “strong authentication is necessary as passwords alone provide weak protection because they can be guessed and phished and, once stolen, tried against a range of accounts in the hope of securing a hit”.

There are industry watchers who believe the adoption of 2FA is an important step towards a truly password-less future. They say that password authentication is plagued by problems resulting in poor user experiences – mainly because passwords are easily compromised.

However, as true as this might be, rest assured the market is some way off the ubiquitous adoption of password-less authentication. Why? The short answer is it isn’t easily achievable. There are challenges which include today’s complex and hybrid IT environments, compliance standards and regulations that must be addressed, not to mention the costs associated with administering and managing a password-less environment.

The immediate solution lies in the adoption of an effective password management solution which, when operated in tandem with 2FA, is an excellent way to secure access to accounts and services online. A password management solution is able to creates strong, unique passwords that will stand up to a battery of tests.

Marrying 2FA and password management takes cyber security to the next level. It permits full control over an organisation’s credentials – who is using them and when. This is because access to passwords is now permission-based.

Significantly, password management systems and 2FA secure your data because even by knowing your master password (under which all individual passwords are amassed), nobody (including hackers) will be able to access your account.

This is known as the “zero knowledge” technique, designed to keep data safe even if the company is hacked. It’s a technique that makes the task of breaching security far less appealing to those with malintent.

The combination of 2FA and password management is particularly important for secure network onboarding. This is when a new employee or guest user – often with multiple devices – has to gain access to the corporate network for the first time. Security concerns are always heightened then.

Security is also critical during the offboarding process, following the resignation, termination or retirement of an employee who subsequently leaves the company.

It is accepted that current and former employees – with or without malicious intentions – are often responsible for putting businesses at risk due to their actions. In fact, research indicates that employees – past and present – are responsible for around 80% of serious security breaches. In most cases best operating practices were not enforced.

Looking ahead, password management should be seen as essential and must apply to every employee, from the first day of onboarding, through to the last day before retirement. When teamed with 2FA, effective password management enables employees to safely share credentials while maintaining excellent standards in terms of password hygiene.