Four tips on implementing 2FA policies
This spring, Instagram folded two-factor authentication into its processes to add a layer of security – to prevent data breaches. If you’re still authenticating remote users with a single password, it’s time to make a change. There’s just too much at stake. With that in mind, here are four things to keep in mind when considering a two-factor authentication (2FA) policy for your organization, and one thing you should probably avoid.
1. Consider alternatives to key fobs
While physical access tokens, such as those made by RSA, are great at providing secure multi-factor authentication (MFA), they can be a pain to use. If your users misplace them, it can cause delays and additional expense. Many multi-factor solutions offer a choice of which method to use for your second factor, such as corporate email, telephone, or SMS.
2. Choose the right factor
With multiple authentication factors to choose from, how do you know which one is right for your organization? If your first factor is a secure password (you do require complex passwords with a mixture of upper and lower case, numbers, and special characters, right?), then your second factor should be based on what type of access you are managing. If you’re managing remote employees, you might want to use something that is tied to their employment, like a corporate email address or key card. Authenticating non-employees and want to make it authentication relatively painless? Consider a placing a telephone call or text to a mobile device.
3. Mind your vendors
If you allow remote access from consultants and vendors and want to individually authenticate users, you might need to have multiple accounts and manage access cards for every vendor employee or risk these accounts being shared across the vendor organization. This can be very time-consuming and cost-prohibitive. Consider a dedicated vendor management solution, instead. SecureLink provides a platform and consulting services dedicated to managing third-party remote access.
4. More expensive isn’t always better
If you don’t have a budget to implement an expensive multi-factor authentication solution, a dash of policy can go a long way. Consider associating a mobile telephone number for each user who needs access. Disable their account and, when they call the help desk to request access, call them back on the number associated with their account. If they answer, enable the account. Poof! Instant two-factor authentication. And now, one 2FA issue to avoid:
Beware the reset password
It’s easy to confuse multi-layer authentication with multi-factor. Multi-layer consists of two layers of the same type of mechanism, such as a password and secret question or a mobile device and key fob. Multi-factor authentication contains at least one of each type, literally something you have and something you know. If you are authenticating to a website, it’s easy to accidentally remove one of your factors. If a user can reset their password and simply have it emailed to them, then they suddenly need to know a single email and password to be able to get access to your system. All multi-factor authentication processes need a provision if one of the factors is lost or forgotten. For example, you could have the user answer a series of secret questions and then receive an authorization key on their mobile device before they are able to reset their passwords. Get a live demo to see powerful secure remote access software in action.