red-sift-two-factor-authentication-2fa

Two Factor What? Everything you need to know about Two Factor Authentication (2FA)

What’s the first thing you think about when someone mentions keeping your online accounts safe? We bet it’s having a long, complicated password. And this is because for many years, having a strong password was the main way to secure an account.

But passwords are vulnerable. And every time a B2C company is hacked, there’s a high chance that your login details have been compromised and will soon be available for criminals to purchase on the dark web. That’s where security measures like Two Factor Authentication come in.

What is Two Factor Authentication?

Two Factor Authentication (also known as 2FA or 2-step verification) is the practice of setting up an added layer of security to your logins. It allows an application to link your user to an authentication mechanism (i.e. Google authenticator app or your mobile phone). When you enter your password to login, it generates a number that expires quickly and is recognized by the application to confirm that your login is valid.

Most applications that deal with sensitive data provide support for 2FA, some of these applications being email, cloud storage, banking, business applications etc.

Why is Two Factor Authentication important, and why aren’t passwords enough?

There is a constant security threat to any organization that provides services over the internet – which is a lot of businesses. Cyberattacks are becoming increasingly sophisticated, and a successful one makes it possible for third parties to steal long lists of usernames and passwords. With this information, third parties can gain access to these accounts and can attempt an account takeover.

This risk is further exacerbated by the fact that many people use the same password in many applications. This means that when attackers get access to someone’s username and password combination, they can access several of that person’s applications.

So, an easy way to prevent this type of unauthorised access is to activate Two Factor Authentication, particularly in applications that contain sensitive data. Preventing access to your account can help protect your personal information and prevent further leaks or loss of data. When you have 2FA active and a third party tries to gain access to your account using your username and password, they will be asked for the 2FA number which they will not have, preventing access to your account.

What are the different types of Two Factor Authentication?

While they all work under more or less the same premise, there are a number of different types of two factor authentication available:

Authenticator App 2FA: this is where the user downloads a free authenticator app to their mobile device. When the user attempts to log in, they’ll need to open the app and use the unique one time passcode (OTP) provided.

SMS text or voice-based 2FA: this is where the user is sent a unique code via text message to a mobile device. Alternatively they’ll receive a call to their phone number with their code. The user then needs to enter this code to complete their login.

Push-based notification 2FA: this is when a notification is sent to the relevant app already installed on the user’s phone (for example the Gmail app). Then the user just needs to approve.

Hardware token/key 2FA: this is one of the earlier forms of 2FA, and is when the user is issued with a device which they use to receive a numeric code for login.

Biometric approval: this is a relatively new addition to the 2FA world, where the user provides a piece of biometric data (i.e. fingerprint or facial recognition image) and this is used to compare and confirm their identity at login.

Remember to protect your recovery codes

Recovery codes are one-use codes issued when you’re setting up 2FA. Remember to keep a record of them, as they’ll enable you to access your account if your authentication device (i.e. mobile phone) is lost or stolen.

Why doesn’t everyone use Two Factor Authentication?

Two Factor Authentication may sound like a no-brainer, but worryingly, ‘How to turn off two factor authentication’ is quite a popular Google search term.

Simply put, people like convenience. People are accustomed to using just their password when logging in to an account, which in many cases is stored in their computer or browser. So, having to open an app or pull a key to log in to their account is more time consuming.

But while 2FA may add another step to your login process, in a world with an ever-increasing risk of account takeovers, the security it provides is invaluable. More and more applications offer it, and a large number of companies are now making it mandatory for their employees. This is particularly significant during these post-COVID times, when working from home and logging in remotely is now the norm in most businesses.

What’s the difference between Two Factor Authentication and Multi Factor Authentication?

Two Factor Authentication and multi factor authentication aren’t that different. Whereas 2FA uses just one other device to authenticate a user’s login, multi factor may use a number of devices or factors to authenticate. Some companies with a lot of sensitive, financial, or personal information at risk may choose multi factor authentication as an added measure.

How to see if you’ve been part of a data breach

It doesn’t matter if your password is complex or long, or if you have different passwords for different accounts. The truth is if your password has been part of a data breach then your account is at risk.

haveibeenpwned.com is a useful tool that helps you check if your email and password have ever been part of a data breach. Google also offers a similar functionality that allows you to check if any of your passwords stored in the Chrome password manager are part of an exposed data breach.

Does Red Sift offer Two Factor Authentication on its products?

Of course! If you want to activate 2FA in your OnDMARC application you can go to My Account (top right), scroll down to Security and click on Enable two-factor authentication. You can also consult our step-by-step article.

Not an OnDMARC customer but want to try it out? Why not sign up below for your free trial.

PUBLISHED BY

Gino Coquis

16 Aug. 2021

SHARE ARTICLE:

Categories

Recent Posts

VIEW ALL
News

Introducing DNS Guardian: Stop impersonation and spam caused by domain takeovers 

Rahul Powar

tl;dr: We’re thrilled to announce DNS Guardian — a new feature in Red Sift OnDMARC that can swiftly identify and stop domain takeovers that lead to malicious mail. Back in February, we shared updates with the community about SubdoMailing – an attack discovered by Guardio Labs. The attack was a form of subdomain takeover,…

Read more
Cybersecurity

Resilience Rising | Episode 3 with Kevin White

Red Sift

In this episode of Resilience Rising, Sean Costigan, Managing Director of Resilience Strategy at Red Sift, and Kevin White, Senior Operation Consultant with Enhanced Information Solutions, explore the critical intersection of wastewater management and cybersecurity.  The two highlight the health and operational impacts of cyber threats on water utilities, emphasizing the vulnerabilities due to…

Read more
Certificates

Your guide to PCI DSS 4.0 Cryptographic Requirements

Rebecca Warren

The Payment Card Industry Data Security Standard (PCI DSS) is a globally recognized framework designed to protect cardholder data during processing, storage, and transmission by merchants and service providers. PCI DSS outlines a set of stringent security controls that organizations handling payment card information must implement to mitigate the risk of data breaches and…

Read more
Certificates

How to build an inventory of certificates for PCI DSS 4.0 Requirement…

Rebecca Warren

We talk to organizations daily that are preparing for PCI DSS 4.0 requirements. March 31, 2025 marks the end of the transition period, and on this date, businesses must be fully compliant with PCI DSS v4.0.1.  One of the ways PCI 4.0.1 varies from PCI 3.2 is an updated Requirement 4, which covers encrypting…

Read more
DMARC

Getting started with the OnDMARC API

Nadim Lahoud

The OnDMARC API is great for performing bulk or repetitive tasks that need to be performed quickly, often and without error – and you don’t need to be a developer or even know how to code to use it. Here, I will walk you through how to perform the common task of updating the…

Read more