By now, most organizations serious about security have implemented some form of two-factor or multi-factor authentication. While both have been around for a long time and widely discussed and debated in security circles, they garnered the spotlight in mainstream media several years ago when Hollywood actresses had their iCloud accounts hacked and technology journalist Mat Honan was hacked, locked out of his email and Twitter accounts, and had his phone and computer wiped.
Two-factor and multi-factor authentication are security protocols that typically supplement simple user name and password (single-authentication) by requiring additional proof points – like a token or biometric or one-time password (OTP) – to further validate you are who you claim to be.
Two-factor authentication can be considered multi-factor, but for the purposes of discussing which one is right for you, let’s consider multi-factor as more than two proof points. Other factors could be user behavior, such as have you ever tried to access this information before; device, such as a computer or smart phone that is recognized; or location that is familiar, such as office, home city or United States.
There are two main considerations when it comes to whether you select two-factor or multi-factor authentication: Risk and Convenience.
Risk:As with anything in security, you have to consider risk. What’s the value of what you’re trying to protect? What’s the risk to you if it’s stolen? If it’s personally identifiable information, such as addresses, credit card info, social security numbers, birthdates, etc., the risk is high and warrants strong protection. If you’re protecting the plan for the employee holiday party or your child’s soccer team schedule, the risk is significantly lower.
Convenience: Once you’ve established the value of what you’re protecting and the impact of losing it, you now have to make the difficult decision of how to balance the security you’ve outlined in your mind, with how convenient and easy it is for users – employees or customers – to get to the information.
For example, something considered low risk (little risk) and high convenience (easy to access), such as an email application or the company party data, may use just two-factor authentication, with a user name and password plus an OTP sent to a mobile device via text message.
Something considered high risk and low convenience (difficult to access) would be the most sensitive data or applications, such as an organization’s intellectual property or business financials. This is information that is critical to business success and in the wrong hands, could be devastating to the business and its very existence. Multi-factor authentication could be used for accessing this type of information, requiring multiple steps and factors to prove you are who you say you are.
Multi-factor authentication also would apply for scenarios where, for example, you’re granted access to some information, but you attempt to gain access to another data set or system. A multi-factor security protocol would challenge you with another step to grant access.
While much more difficult to implement, multi-factor authentication is appropriate for the most sensitive data not requiring easy, convenient access.
For those scenarios that fall somewhere in between, such as high risk, high convenience, you should at minimum choose two factor authentication.
Sure, we’re getting smarter about passwords and making it more challenging for the bad guys to crack them, but as Benjamin Franklin said, “An ounce of prevention is worth a pound of cure.” Or in this case, two factors can help keep you and your business more secure.
