Four Tips to Implement 2FA Policies

June 09, 2017//Ellen Neveux

Last Updated: November 18, 2020

Justin Strackany is Chief Customer Officer for SecureLink and a recognized leader in third-party remote access policy and implementation.

This spring, Instagram folded two-factor authentication into its processes to add an additional layer of security – to prevent breaches. If you’re still authenticating remote users with a single password, it’s time to make a change. There’s just too much at stake. With that in mind, here are four things to keep in mind when considering a two-factor authentication policy for your organization, and one thing you should probably avoid.

  1. Consider alternatives to key fobs
    While physical access tokens, such as those made by RSA, are great at providing secure multi-factor authentication, they can be a pain to use. If your users misplace them, it can cause delays and additional expense. Many multi-factor solutions offer a choice of which method to use for your second factor, such as corporate email, telephone, or SMS.
  1. Choose the right factor
    With multiple factors to choose from, how do you know which one is right for your organization? If your first factor is a secure password (you do require complex passwords with a mixture of upper and lower case, numbers, and special characters, right?), then your second factor should be based on what type of access you are managing. If you’re managing remote employees, you might want to use something that is tied to their employment, like a corporate email address or key card. Authenticating non-employees and want to make it authentication relatively painless? Consider a placing a telephone call or text to a mobile device. 
  1. Mind your vendors
    If you allow remote access from consultants and vendors and want to individually authenticate users, you might need to have multiple accounts and manage access cards for every vendor employee or risk these accounts being shared across the vendor organization. This can be very time-consuming and cost-prohibitive. Consider a dedicated vendor management solution, instead. SecureLink provides a platform and consulting services dedicated to managing third-party remote access.
  1. More expensive isn’t always better
    If you don’t have a budget to implement an expensive solution, a dash of policy can go a long way. Consider associating a mobile telephone number for each user who needs access. Disable their account and, when they call the help desk to request access, call them back on the number associated with their account. If they answer, enable the account. Poof! Instant dual-factor authentication.

And now, one thing to avoid:

Beware the reset password

It’s easy to confuse multi-layer authentication with multi-factor. Multi-layer consists of two layers of the same type of mechanism, such as a password and secret question or a mobile device and key fob. Multi-factor contains at least one of each type, literally something you have and something you know. If you are authenticating to a website, it’s easy to accidentally remove one of your factors. If a user can reset their password and simply have it emailed to them, then they suddenly need to know a single email and password to be able to get access to your system. All multi-factor authentication processes need a provision if one of the factors is lost or forgotten. For example, you could have the user answer a series of secret questions and then receive an authorization key on their mobile device before they are able to reset their passwords.

Get a live demo to see powerful secure remote access software in action.

About SecureLink

Our sole focus is secure third-party remote access. For highly regulated enterprise organizations, SecureLink Enterprise has pioneered a secure remote access platform. SecureLink for enterprise allows an organization to identify, control, and audit third-party vendors. For vendors, SecureLink is the gold standard remote access support platform because it is easy, efficient, and ensures compliance and reduces liability when supporting customers.

Subscribe to the SecureLink Blog.
close close