Introduction to Two-Factor Authentication (2FA)

You might be supervising on the building site or doing a stock-take in your store and two-factor authentication is the last thing on your mind and that’s if you’ve even heard of the term.

Some businesses have a dedicated IT resource to do “that stuff” but it might not be realistic for your business where strict budget constraints exist.

Nonetheless, there are crucial steps you can take that require little technical knowledge to safeguard your data. Let’s investigate what has been happening globally to warrant this article. Sadly, there has been a sharp increase since Covid-19 in cybercrime including:

  • Phishing (said like fishing) – fake email messages to get your personal information for example “The IRD requires your password to give you a tax refund
  • Identify theft – taking your details and pretending to be you
  • Hacking – taking down websites or computer networks

More and more people are working from home and our whole lives have morphed into the digital space. It means more and more opportunities for fraudsters. Businesses are having to protect not only their sensitive business data but the data of their customers they hold.


What exactly is 2FA?

Two-factor authentication (2FA) confirms it is you on another device before you access something. For example, if you log in on your laptop to your cloud service, and you have set up 2FA correctly, your smartphone will send you a text with a verification code like this:

2FA verification SMS

There are several different ways of describing 2FA including multi-factor authentication or two-step verification.


How does 2FA work?

Essentially you enter your password (as you normally do on your device) then a second factor like a security token will pop up on your phone. You do it this way because there is little chance a hacker would have your second device to steal your credentials.

Here is the process:

  1. You are prompted to log in as normal by the application or website
  2. You enter your credentials (username and password)
  3. The site prompts you to initiate the second login step (usually a token but it does come in other forms)
  4. You enter the one-time code that was provided in step three
  5. With both factors now authenticated, you are granted access to the application or website.


The benefits of 2FA

We think nothing of our bank insisting on a four-digit private pin on our bank card. The benefit is it keeps our money safe. Why would your business data be any different? Invoices, supplier contracts, payroll details, employment contracts – they are all valuable pieces of private data that belong to your business. Making 2FA second nature benefits your business by:

  • Adding a layer of protection to your logins – hackers will still snoop but using 2FA will alert you to those attempts. After all, how likely is it that your hacker will have your smartphone in their possession? 2FA means they now will need that additional approval to get in
  • It is relatively manageable. Information security as a wider topic can be tough to understand at first but 2FA itself is relatively simple to set up. And it is not a big deal to check your phone for a second prompt. It is better than a stranger getting into your accounts.


The types of 2FA methods

  • SMS token – this is the most common type of 2FA. Once you have logged in with your standard credentials, the platform that you are trying to enter sends you a one-time SMS verification code to your smartphone. You enter code that into the provided field.
  • Email token -you are sent the code via email. Some people find this too much of a time-waster. Your email can be compromised, opting for SMS is better.
  • Software token – this is the next level in authentication. We will dive into it in another article. This method requires a separate piece of software like Authy, Google Authenticator, Microsoft Authenticator to verify logins. Night Owl has used all three and will share findings in a later article. The timed number code provided by such software can simply be inserted and grants access to the application.
  • Biometric authentication – like the name suggests biometrics is personal biology to identify you. Identification such as facial recognition, fingerprint to verify who is accessing your platform.
  • Security questions – this is the original form of authentication and it is pretty weak. Someone serious about getting into your company account can find out your mother’s maiden name by going to any family genealogy site. Don’t use this method as the only 2FA type. And with social media, everyone knows everything about each others’ family these days.

Night Owl hopes this article has briefly introduced 2FA into your business vocabulary. If you have any issues setting up 2FA for your business, please don’t hesitate to contact Night Owl Digital for support.