2FA or not 2FA – that is the question

Reports that Twitter users who had not subscribed to Twitter Blue, the system’s premium package, would have to turn off their two-factor authentication (2FA) caused consternation across the platform, with many fearful of an increased risk of their accounts being hacked. However, Twitter is not removing 2FA entirely. It is removing SMS 2FA for non Twitter Blue subscribers, which is actually a good thing. Authenticator app 2FA is still available, and it is actually a better form of security.

But what is 2FA and why is it so important?

As has been quoted many times, FBI Director Robert Mueller stated in 2012:

“There are two types of companies: those that have been hacked and those that will be hacked.”

Just as the internet cannot be uninvented, so cybercrime is here to stay. It is a global and sometimes well-organised industry worth in excess of US $500 million a day (Cybercrime Magazine 2023) and the UK remains the country with the highest rate of cybercrime per capita in the world – hardly an enviable statistic.

2-Factor Authentication (also known as Multi-Factor Authentication or MFA where more than 2 pieces of information are required) is the simplest and quickest method to reduce the risk of a person gaining unauthorised access to your systems, networks and data. In its simplest form, a user accessing a system (bank account, office network, email, shopping account) is asked for password and login credentials and also a second or third check that confirms they are the person entitled to access that system, such as a code from an authenticator app (Microsoft Authenticator, for example), or one generated by the platform and sent by text to the user’s phone or an email account not linked to the platform which they log in to.

2FA adds a layer of protection to your organisation and your private life. It helps prevent unauthorised access in the event that your credentials have been compromised and reduces:

· the risk of access by former employees of contractors who no longer work for you;

· the risk of access with the use of socially engineered local credentials;

· the risk posed by the use of passwords from leaked datasets and

· the use of these password across multiple accounts (password spraying).

Make no mistake – it is not foolproof. As a business, you should still have processes and policies to ensure that individuals only have access to those platforms and areas to which they are entitled and when they are entitled. Switching off access in a timely manner is fundamental.

The consequences

Both British Airways and the Marriott Hotels group were issued with record fines by the Information Commissioner’s Office (even after substantial reductions from circa £100 million to £20 million) for personal data breaches that included payment information and affected the data subjects adversely. The root of both breaches was traced to the failure to implement - or the poor implementation of - 2FA. Contractors had their login credentials compromised and created gateways to valuable data assets linked to personal and financial data that were used for theft and fraud.

How does it work and how do I implement it?

Most providers, from banking to retail shopping, now provide the option of 2FA. In most cases, the providers have enforced this, but it is worth searching or asking for this option to be implemented.

The introduction of 2FA can help protect your business systems and platforms, particularly those providing access to critical information and digital infrastructure, such as:

· Office 365 or equivalent

· Business Banking

· Supplier portals

· Critical systems / digital infrastructure

· Customer facing portals

· Website

When using mobile phones or tablets to receive 2FA tokens, ensure that users use the inbuilt security to lock the devices and that the devices do not display the codes when they are locked.

Some of us will complain about the speed and time it takes to log in with 2FA but be assured that the security benefits really outweigh the additional time or burden. Quicker versions of 2FA - Fast Identity Online (FIDO) for example - are used in scenarios such as fingerprint and facial two factor login. This allows the use of biological features to log into accounts and can be much quicker.

Ensure security policies and associated processes work to support 2FA. People leaving your organisation could be departing under a cloud and this may provide motivation for them to cause problems, particularly if they have access to your core systems. They need to be removed from access to systems immediately following their departure and their encryption tokens for 2FA should be changed or disabled.

A day is a long time in data protection and 2FA is not going to work properly if it is not maintained. Therefore, the requirement for 2FA needs to be renewed every day for all users. For critical or sensitive infrastructure, you will need to require 2FA at every login and implement appropriate time-outs.

When should you use 2FA?

In its simplest form, 2FA will be needed wherever you have something that is valuable and or critical to your business, such as:

· Cloud-based services and infrastructure

· Critical systems / digital infrastructure

Additional layers of 2FA will be needed for high-risk connections (VPN) and or high value / critical infrastructure or information/data, and when making changes to systems, users, access and communication tools for your business.

However, you need to make sure that you balance those authentication measures with the requirements of the business, the ability and need for your colleagues to be able to deliver their work and an effective customer experience.

Additional guidance can be obtained from National Cyber Security Centre - MFA or contact your system providers to obtain guidance on how to implement it on their systems.