March 03, 2015//Ellen NeveuxLast Updated: March 12, 2021
Really 4 tips on how to implement two-factor authentication (and one thing to avoid)
By Justin Strackany – Chief Customer Officer for SecureLink and a recognized leader in third-party remote access policy and implementation.
Google, Twitter, Facebook and Apple are just a few of the companies that have decided to incorporate two-factor authentication into their authentication process. After a flurry of recent breaches, many larger companies are deciding to fold in this additional layer of security. If you’re still authenticating remote users with a single password, it’s time to make a change. There’s just too much at stake.
With that in mind, here are four things to think about when considering a two-factor authentication policy for your organization, and one thing you should probably avoid.
1. Consider alternatives to key fobs
While physical access tokens, such as those made by RSA, are great at providing secure multi-factor authentication, but they can be a pain to use. If your users misplace them, it can cause delays and additional expense.
Many multi-factor authentication solutions offer a choice of which method to use for your second factor, such as corporate email, telephone, or SMS.
2. Choose the right factor
With multiple factors to choose from, how do you know which one is right for your organization? If your first factor is a secure password (you do require complex passwords with a mixture of upper and lower case, numbers, and special characters, right?), then your second factor should be based on what type of access you are managing.
If you are managing remote employees, you might want to use something that is tied to their employment, like a corporate email address or key card. Authenticating non-employees and want to make it relatively painless? Consider placing a telephone call or text to a mobile device.
3. Mind your vendors
If you also allow remote access from consultants and vendors, you might need to create accounts and manage access cards for every vendor employee. Individually authenticating users without the right procedure and tools can be very time-consuming and cost-prohibitive. In addition, you risk account credentials being shared across the vendor organization.
4. More expensive isn’t always better
If you don’t have a budget to implement an expensive solution, a dash of policy can go a long way. Consider associating a mobile telephone number for each user who needs access. Disable their account and, when they call the help desk to request access, call them back on the number associated with their account. If they answer, enable the account. Poof! Instant two-factor authentication.
And now, one thing to avoid:
Beware of the reset password
It’s easy to confuse multi-layer authentication with multi-factor. Multi-layer consists of two layers of the same type of mechanism, such as a password and a secret question or a mobile device and key fob. Multi-factor contains at least one of each type, literally something you have and something you know.
If you are authenticating to a website, it’s easy to accidentally remove one of your factors. If a user can reset their password and simply have it emailed to them, then they suddenly need to know a single email and password to be able to get access to your system.
All multi-factor authentication processes need a provision if one of the factors is lost or forgotten. For example, you could have the user answer a series of secret questions and then receive an authorization key on their mobile device before they are able to reset their passwords.
Are you considering replacing your current VPN?
Request a demo to see how you can take control of your third-party vendor access.