2 Factor Authentication---
Two Factor Authentication
TABLE OF CONTENT
In this article, we look at two-factor authentication in detail and review whether or not it is a worthy security tool that you should consider using to improve your company security protocols and safeguard your customer data.
As one of the most well-known and highly regarded payment processing companies that are reported to have over 85 million active accounts, we look at their history with two-step authentication, their challenges with the technology, along with their present two-factor google authentication process.
Back in 2015, PayPal suspended its PayPal Security key, also known as PayPal 2FA amidst concerns with the administration of the logins from the mobile app.
This announcement came following a disclosure that stated it was possible to bypass PayPal’s 2-factor authentication protocol. Due to the severity of this vulnerability, the decision was taken to withdraw this while works took place, and the issues with PayPal’s 2FA were rectified.
In a public response, PayPal assured their customers that their accounts had not been compromised and for all other products, with the exception of their app, PayPal two-step authentication worked as it should.
In a blog post that was authored by PayPal’s then Director of Global Initiatives, they stated that PayPal’s security is not dependent upon 2FA in order to keep the customer and their accounts secure.
The PayPal Security Key adds a secondary layer of authentication when you log in to your PayPal account. Along with the normal process of entering your Username and Password, you will also be asked to enter a single-use pin.
This is also referred to as a One Time Pin or OTP for short. Each time you log in to PayPal, you will be issued with a unique pin to use.
The code is sent to your mobile device via a text message which you need to enter alongside your Username and Password. There is no additional fee to use the PayPal Security Key.
Another way that you can now use two-factor authentication with PayPal is by using the Google Authentication tool. It is easy to set up and requires that you simply enter a code that is generated in order to verify the second level of security.
Another well-known tool that offers a similar service to the Google Authentication is called Authy.
If you want to get started with enabling two-factor authentication across your most frequently used business apps, here is a list of apps which you can enable two-step authentication immediately.
- Team Viewer
While PayPal Two Step Authentication has been in the press, 2FA or Multi-Factor Authentication (MFA) as it is otherwise referred to is now considered to be a common-place additional security layer that helps to negate the vulnerabilities that are closely associated with password-only security processes.
Supercharging Your Security
In a world where the simple security requirement of a Password and Username is no longer fit for purpose, organizations and consumers alike need something more robust, more secure, and less likely to leave them susceptible to vulnerabilities that could ultimately lead to their personal information becoming compromised and for their data for fall into the wrong hands.
Multi-Factor Authentication (MFA) or Two-Factor Authentication (2FA) are essentially the same things. By adding in an extra level of security which takes a user an additional 30 seconds to complete, this provides a far more robust way to access and use services online.
A combination approach that requires both a Username and Password, along with something such as the PayPal two factor google authenticator is a highly-secure way to operate. A user will have to input a code that is sent to them via a device that they physically have access to, along with the information they know.
Simply put, two-factor authentication is a blend of something you know with something you have.
- LAN, WAN, MAN
- CSS Prevention
- Practice Your Hacking
- Network Engineer
- SAS 70
- PCI Compiance
- SOC 2
- API Scanner Information
- Computer Data Storage
- CSRF Countermeasures
- Is Social Media Security Important?
- Need an MSP?
Looking back to when authentication was first introduced, organizations where heavily dependent on hardware tokens which were used in order to generate secure 2FA codes for their users.
A good example of those who first introduced two-step authentication into the mainstream marketplace were financial institutions, such as banks. However, the initial user experience of two-step authentication when it was first released was somewhat clunky due to issues surrounding broken, lost, and expired tokens.
Ultra-Modern Two-Step Authentication
Thankfully, since the original PayPal security key was introduced, two-factor authentication, on the whole, has moved forward leaps and bounds.
With more modern token-less systems, comes a slicker and quicker 2FA process. The implementation, roll-out, and ongoing two-factor authentication management are far easier than ever before.
Although some 2FA processes will use a code, others might send a text message, initiate a call or send a secure email. Whichever way you look at it, the principal remains largely the same.
Users still need to enter a Username and Password, proving they have ‘knowledge of the security credentials.’ They are then required to verify they hold a physical device or have access to a verified email account in order to pass the second step of the authentication process.
Social Media Security a thing these days? @TechnologyTulsa
— Nozak Consulting (@NozakConsulting) December 1, 2018
Organizations of all shapes and sizes use 2FA. Just as each company that uses two-factor authentication is unique, so are the types of 2-step authentication that can be used.
Because the vast majority of individuals lead a digital life, our virtual identity plays a significant role in our everyday life. In some instances, the online perception of ourselves can be equally as important as our real-life presence.
Consider if someone were able to impersonate you in real life, how far could they get?
Your friends and family surely wouldn’t be fooled. However, when identities are stolen, passwords forged, and access to your most personal information is taken on by an unknown entity ‘the hacker’; this can wreak havoc with your personal and professional life.
Reputation, Finances and Public Image can all be impacted.
Another important factor to consider is the rise in the number of cyber attacks, along with the advanced tactics these crooks are using in order to gain access to your information.
It’s no longer a case of the online criminals targeting the larger corporate entities; far from it. Small to Medium sized businesses are prime targets as they are thought to not have the same level of security that the larger corporations can afford.
Especially in the case of smaller businesses and self-employed Entrepreneurs who will often not enlist the help of an IT support operation to support their needs. Even for those who do have an IT support team, this is not always enough to protect a business from being taken offline or worst still, being held to ransom for their private company data.
It seems like almost every day there is a new report of large corporations and government organisations losing control over their customer information. In some cases, this is data that is stolen, and in others, the data loss or leak occurs because of lax security protocols.
At the end of the day, it doesn’t matter how it happens; the fact that your personal information, including your passwords, are revealed on the web for all to see. For those who make a living from cyber crime, this information is seen as gold dust.
With many people choosing to use the same password for a number of accounts and access points, and with so many organizations not retaining the correct control of your private information; the question is no longer ‘if’ your passwords might be compromised, nor ‘when’.
They will most likely already have been exposed at some point, and the only way to get around this is to beef up your access security and make sure you are using highly-secure passwords, which are not replicated from one site to the next.
This is why people and organizations need to deploy Two-Step Authentication, to protect their own reputation and their private customer and company information.
It can significantly reduce any likelihood of identity theft, as well as scams such as phishing attacks. Without the ability to access accounts using just a Username and Password, this means cyber-criminals cannot compromise or hack into accounts so easily.
Token-less 2FA is far easier and pain-free for people to use when compared with the older two-factor authentication methods that were implemented in the past and required fobs to be carried around. They are quick and cost less to implement, and the ongoing support and maintenance required are minimal.
When you consider that you are adding in another step to the login process, for some people, this is mildly inconvenient. If you are ever trying to log in, and for instance, have run out of battery on your mobile device, then this can be even more of an inconvenience.
Whenever you try to log in, you will be asked to enter in a code. Most of the codes that are generated will have a specific expiry time which is anything from 60 seconds to 5 minutes. If you miss the window, you will need to request a new passcode to use again.
This is the only downside to using 2FA. The extra time it takes, and the process of waiting for and having to input a new code are the sum total of negative factors of using two-factor authentication.
The alternative is a stolen identity, a compromised account or even a hijacked account which is being held to ransom.
While many think this type of thing never happens to ‘ordinary folk’, the cyber criminals have no limitations when it comes to who and how they will attack.
Consider this additional 30-second hurdle with the inconvenience of having to change your email address or use a new one. Consider having to cancel credit and debits cards and having to call each and every company you deal with to update your details.
From a business perspective, having to explain to customers why their personal information is no longer private, or even having to make a public press release about how your IT protocols where not adequate enough.
Depending on the type of attack, if you get a ransom request, you might be faced with an unknown entity threatening to email your customers or worse still, having all of your company information deleted altogether.
Any of these issue in isolation can be catastrophically inconvenient. Especially when you consider they could have been avoided by simply going through an extra 30-second two-factor authentication process.
If you haven’t already enabled 2FA within your business or across your accounts, do it today.
If you want to learn more about securing your company data to ensure that it remains secure and protected, we are always here to help guide you through the myriad of options that are available to help you stay secure and protected against the latest online threats.