When performing secure types of functions on the web such as changing passwords or logging in from a new computer, many sites and applications are now asking you for additional information such as your cell phone number to help ensure that is actually you who is logging in. When you do this, they will send you a text with a security code that you will need to enter to confirm the your identity.
Asking for something separate than simply your password is referred to as “two factor” authentication. The idea is that they are getting something “you know” (such as your password) and accessing something “you have” (such as your cell phone). This concept is not new as large organizations have been doing this for a long time using complex systems with small fobs that you had to carry around with you. This fob has a number on it that randomly changes every 60 seconds or so. When you try to login, you have to type in the current number on the fob which is synced with the server so they know it is you. An example of this type of fob system is SecureID by RSA who is a leader in this space.
Since almost everyone now carries a cell phone, this type of technology has become much more accessible to small business for use in their security efforts. With the proliferation of remote workforce users, using a two factor authentication system such as Duo will give you an added layer of security when your employees are accessing your critical company resources from somewhere outside of your office. Using a system like this, when you try to log in from outside the office network, a message is sent to the app loaded on the employee’s cellphone. The employee can approve or deny the request. If is it them, they simply click approve and they are in. If it was not them, they can notify your IT team that someone was trying to login as them and appropriate actions can be taken.
This is just one more step that your company can take in securing your network. We will do do several posts on small business security as it is such a critical topic in today’s marketplace.
Michael Giuffrida from Southington CT has been operating businesses since 1997. He is an experienced entrepreneur in business management, profitable growth, business valuation, mergers and acquisitions, and information technology managed services.
While the text approach is nice and adds a small layer of protection, some organizations such as NIST (the national institute of technology and standards) no longer allow text (SMS) as a secure second factor. The reason is that SMS is not secure and the transmissions can be easily intercepted. Because of that there has been a switch to phone application based virtual fobs. The most widely used and known is google authenticator. A developer can use google’s API to code a fob like random changing number and transmit it securely.
This information explains a lot. I always wondered why they (banks, credit unions, etc.) are always asking new secret questions and changing answers. I was getting annoyed at having to change my “secret” questions but now I know it is for my good. Thanks for the info.
Great article. Really interesting subject. Well done.
I remember the days of carrying a seperate fob for RSA, now it is an app on my phone. How practical to integrate into a smartphone app! Why can’t they integrate my vehicles key fob and house key nto a smartphone app? I await your post on that technology.
I was one of the consumers getting annoyed by the “hassle” of the two factor authentication. I’m in a hurry after all, I don’t have time for this extra step. After reading your article I better understand the purpose, and while I still might get annoyed, I will try to remind myself that it’s for my own protection. Thanks for your post.