When we think about keeping our internet accounts safe (email, cloud storage, social networks, etc.), we think about having a complicated, long password. Every time you create an account you are required to create a password and for many years, this has been the main way to secure an account.
But passwords are vulnerable. Every time a B2C company is hacked there is a high chance that your user, email and password have been compromised and are in the dark web, available for purchase. Notorious hacks that have exposed sensitive data for millions of people include:
- In mid-2012, Dropbox suffered a data breach which exposed the stored credentials of tens of millions of their customers.
- In August 2016, they forced password resets for customers they believed may be at risk. A large volume of data totalling over 68 million records was subsequently traded online.
- In May 2016, LinkedIn had 164 million email addresses and passwords exposed.
https://haveibeenpwned.com is a useful tool that helps you check if your email and password have ever been part of a data breach.
More recently, Google has added a similar functionality that allows them to check if any of the passwords you stored in the Chrome password manager are believed to be part of an exposed data breach.
It doesn’t matter if your password is complex or long, or if you have different passwords for different accounts, if your password has been part of a data breach your account is at risk.
The most practical and robust way to secure access to your accounts is to activate Two Factor Authentication (2FA).
What is 2FA?
Two Factor Authentication or 2FA, allows an application to link your user, to an authentication mechanism (e.g. Google authenticator app). This generates a number that expires every few seconds and which is recognized by the application to confirm that your login is valid.
Most applications that deal with sensitive data provide support for 2FA, some of these applications being email, cloud storage, business applications, etc.
Why is it important?
There is a constant security threat to any organisation that provides services over the internet. A successful cyber attack makes it possible for third parties to steal lists of usernames and passwords and with this information, third parties can gain access to those accounts and can attempt an account takeover.
An easy way to prevent this type of unauthorised access is to activate 2FA, particularly in applications that contain sensitive data. Preventing access to your account can help protect your personal information and prevent further leaks or loss of data.
This security risk is further exacerbated by the fact that many people use the same password in many applications. When attackers get access to someone’s username/password combination, they can access several of that person’s applications.
When you have 2FA active and a third party tries to gain access to your account using your username and password, they will be asked for the 2FA number which they will not have, preventing access to your account.
Other authentication mechanisms include physical authentication keys. They can link to your account in the same way and provide an additional level of authentication by validating the login. Some versions of those keys are NFC enabled and allow for usage in mobile applications.
When you are setting up 2FA for an application, it is important to keep a record of your recovery codes. If you lose access to your authentication mechanism (e.g. mobile phone is lost or stolen) you will lose access to your accounts. The way to recover them is by using the one-use recovery codes.
Why doesn’t everyone use it?
Simply put, convenience. People are accustomed to use just their password which in many cases is stored in their computer or browser. So, having to open an app or pull a key to log-in in their account is more time consuming.
The ever increasing risk of account takeovers and the power of 2FA makes it a great security mechanism for your online accounts. More and more applications offer it and a large number of companies are now making it mandatory for their employees. This is particularly significant in these days when logging in remotely, to also remote services, is the norm in most businesses.
If you want to activate 2FA in your OnDMARC application you can go to My Account (top right), scroll down to Security and click on Enable two-factor authentication. For further information about enabling 2FA on your OnDMARC account, read our step-by-step article.