Weak passwords are a reality in both business and personal life. Password exploits are the preferred method for hackers to breach both corporate and private systems today, with thousands of accounts falling prey to either brute-forced or compromised passwords every day.

The only way to stop the onslaught is to move your business to a solid two-factor authentication scheme.

What is two-factor authentication?

Two-factor authentication provides an extra layer of account security over and above a simple password. Although the password is still required, an additional safeguard is inserted into the login process – a code, either generated or sent to the user at the moment of authentication, which must also be entered to allow access. This combination of things, referred to as ‘something you know’ (the password) and ‘something you have’ (the key) renders systems vastly more secure than simply relying on only one or the other. The odds of a hacker obtaining both the key token and the password are extremely low.

If it’s good enough for big business…

Big business has been moving toward two-factor authentication for many years now. Google, Twitter, Apple, and other major online service providers all offer the two-factor option for users. Now support for two-factor authentication is so widespread that all businesses should be considering it, and implementing it where practical.

… it should be good enough for you

The largest challenge for a small business attempting to implement two-factor authentication is to provide employees with a means of receiving the key code required for login. At one time, the only viable options for this were to have them call in to a central control center that would issue the key verbally, or to equip them with independent, battery-operated cryptographic key fobs, synchronized with the backend authentication system, which generate valid codes at the push of a button. Both systems were expensive, the verbal one in staffing and time, the fobs in equipment and integration costs.

Putting the smart in smartphone

The explosion in popularity of smartphones has changed the options. With a portable computer in almost every employee’s pocket, the ability to deliver secure cryptographic authentication codes has become foolproof to implement.

Businesses using cloud-based services such as Google Apps or Microsoft’s Office 365 already have their own two-factor authentication systems set up and ready to use. Activating them for users is as simple as changing a configuration setting in the administrative control panel for the company.

Businesses which use Microsoft’s Active Directory authentication system have the option of using the same system as Office 365 offers – even if they don’t use Office 365 – by integrating their Active Directory with Microsoft’s Azure cloud platform. Azure Multi-Factor Authentication uses employee cell phones to deliver login tokens on demand. The phones can either receive the code via simple text messaging, via an automated phone call, or via a secure app installed on the phone.

Many third-party systems are also available that can plug into Active Directory systems on site, but those have the same cost and integration difficulties as previous two-factor systems.

Third party systems

Unfortunately, such systems remain the only option for businesses that make use of various Unix-based directory and authentication services. RADIUS authentication (which can be used in both Unix and Windows environments) has considerable support among hardware-based token manufacturers. Third-party two-factor schemes, such as Duo or Google’s Authenticator system, can be adapted for use with Secure Shell (SSH) logins.

The only option for true online security

Regardless of the underlying software systems at your business, the time has come to seriously investigate implementing two-factor authentication services for both customer and staff login. The sophistication of third-party attacks and the congenital lack of password discipline will make two-factor systems the de facto minimum for true online security for the foreseeable future.

Four Business Solutions can help you better manage and secure your business. If you’d like to know more, please call me, John O’Brien, on 0800 6250 025.

John O’Brien is the CEO at Four Business Solutions, global business consultants and software integrators providing business processes improvements in Finance, Supply Chain & Operations, across a broad range of industries.