Securing your organization’s sensitive data is a vital part of information policy for any entity, no matter how large or how small. Passwords are not what they used to be—in fact, they were never all that secure in the first place. Even with strong password practices, the bitter truth is that anyone who styles themselves a hacker can download a password cracking tool and break a “strong” eight-character password in a matter of minutes. Without additional measures, your security is about as watertight as a laundry basket.
Two-step authentication is an enhanced method of online security that protects accounts from unauthorized access in the event that someone obtains your passwords either through theft or a data breach. Getting started with two-step (also called two-factor) authentication is not difficult once you get past the jargon. The easiest way to explain two-step authentication is as such:
- Something you know: A password, PIN, answer to a specific question, or a pattern traced on a touchscreen.
- Something you have: A phone to receive an SMS message, a fingerprint, or a special “one-time use” code.
For instance, if you were to enter a secure area, you might be required to slide your employee identification card and then enter a unique code on a keypad to open the door. Online two-step authentication is exactly the same principle.
Some employees will groan about having to use two-step authentication just the same way that they groan about having to change their passwords every so often. However, those grumblings will be drowned out by the cries of the IT staff and the wailing of management should a data breach occur. And considering just how much crossover takes place on work machines, it behooves your employees to understand just how much could be exposed.
Two-step authentication is becoming more common, especially on sites that handle sensitive financial data and for users on internal networks that handle secured, proprietary data. While not every site or security level calls for two-step authentication, you should form your policy around your most sensitive data and the most common targets of hacking, which can include social media, email accounts, and cloud storage sites. Consider using two-step authentication on the following types of sites if it is offered.
- Online password managers like LastPass and DashLane. If your online password manager does not offer two-step authentication, consider changing to one that does. After all, if someone hacks your password for your password manager, you’ve just had all of your passwords exposed.
- Web-based email accounts such as Google’s Gmail. Having your email hacked exposes not only your finances, but your friends, family, and coworkers to potential hackers as well. A message coming from your email address with a plausible subject line could put family and friends at risk of malware and phishing.
- Social media and blogging sites such as Twitter, LinkedIn, Facebook, WordPress, Tumblr and other sites associated with your web presence.
- Cloud storage sites such as DropBox and iCloud, especially if the site is handling your sensitive data backups.
- Work and productivity sites such as EverNote, Microsoft, and Adobe Creative Cloud.
There are excellent resources documenting which sites do and do not support two-step authentication. Should you find that one of your critical services does not support the protocol, you’ll be able to find another service that does.
On an Internet that’s becoming both more secure and less secure by the day, two-factor authentication is a step in the right direction to ensure your private data remains safe.