Does your company use two-factor authentication to protect its data? If not, maybe it's time you considered adopting the practice.
The Heartbleed bug is just the latest example of the vulnerability of regular passwords. For better protection, small businesses should consider taking security to the next level, with two-factor authentication.
That's what a company called Prevendra did. Its Red Folder app is designed to hold all of a consumers' important information, so it can be retrieved in case of emergency. Stored information includes bank account numbers; life insurance contacts; and even passwords, usernames and email addresses to access online accounts — the type of data you don't want unauthorized eyes to see.
To keep it safe, Red Folder, which is moving out of Beta format, is adding two-factor authentication to its security, said Christopher Burgess, president and CEO of Prevendra.
"Passwords have been in use since the late 1980s as the means to control access and, as such, rely on something you know — nothing more," Burgess said, explaining why he made the decision to go to two-factor authentication. "Two-factor authentication, by design, separates two separate issues: what you know and what you have." That is, the security measure requires you to both know a password and have access to your cell phone, for example.
Two-factor authentication can be done in a variety of ways. Users of Prevendra's app, for example, first log in using a password, but they then receive a second validation code by either a text message or a phone call, which they must input in order to validate the session.
Some companies choose to use a biometric two-factor configuration, perhaps requiring a fingerprint scan or voice recognition along with a password. Businesses also use hardware tokens (the type that have regularly changing sets of numbers) for two-factor authentication. Others use a QR code that is scanned using a smartphone or tablet.
While two-factor authentication may sound complicated and cumbersome, Sorin Mustaca, an IT security expert at Avira, said it's the only way to properly secure critical assets and mobile devices.
"Passwords can be guessed and are very often reused. With so many hacks which occurred, no password can be considered secure anymore. This is why the two-factor authentication is the only way to secure the critical assets of the company," he said.
For businesses that regularly make remote access to the network, whether through a virtual private network (VPN) or by checking email on a smartphone, two-factor authentication is much safer and more secure than a simple password. Yet, small businesses too often decide not to implement this type of authentication. Mustaca thinks this is due to a lack of understanding about the method, and because businesses take an all-or-nothing approach. Not every situation will call for two-factor authentication, he said.
"Companies should use two-factor authentication to protect assets which are easily stolen and which can be attacked from outside. Any other situation should be properly analyzed, and the risks should be mitigated properly before adding the extra protection," Mustaca said.
Small businesses should also consider two-factor authentication for internally shared environments. This adds a layer of protection to keep employees from accessing unauthorized files and applications.
A second authentication factor secures external connections, as well, allowing the business to verify its customers and customer data. This extra protection also shows customers that your business takes their security and privacy seriously.
Adding two-factor authentication to applications can be as simple as turning on the options already available. Web-based email, social media sites and cloud applications like Dropbox now utilize two-factor authentication, for example. If you use an outside vendor for network security, adding the extra authentication layer can be as simple as taking advantage of an existing software capability on network security products you're already using, said David Finger, director of product marketing for Fortinet. Keep in mind that costs will go up for more-sophisticated measures like biometrics or when adding hardware like tokens.
Whatever type of two-factor authentication a business uses, in the end, it justifies the time and the expense, experts said. And luckily, many of today's soft-token methods make the practice easy and affordable for the average small business.
"I think we have all received password reset notices — whether in response to the recent openSSL vulnerability, Target data breach or otherwise — which underscores the importance of stronger authentication methods than the traditional user name and password," said Finger. "Security measures like this are especially important when we consider the growing incidence of data theft, the potential impact of an incident on the business, and how integral each smaller business is to the livelihood of its owner and employees."