Authenticating a user before allowing them access to a secure application is a crucial security step needed to protect the digital assets of your organisation. The username and password combination has long been the conventional mechanism used to authenticate users and prove identity, but password security is inherently flawed. Poor password hygiene practices, such as reusing the same password for multiple apps or choosing a simple, guessable password, put operations at risk. To counter this threat, you can turn to advanced forms of authentication.
Two-Factor Authentication (2FA) is an added layer of security that requires a user to submit an additional authentication factor along with their username and password. This second authentication factor is usually something the user has (a smart card or hardware token) or something that is unique to the user (a fingerprint or iris scan). This multi-layered, defence-in-depth approach to authentication mitigates the risk of the automated attacks that plague single password authentication solutions.
To date, the use of 2FA to protect systems is not mandatory for every industry. However, 2FA is a needed measure to comply with particular password restrictions in sectors such as finance, healthcare, defence, law enforcement, and government, among others.
The finance industry has long used 2FA technology. In fact, each time you use an ATM, you are using 2FA—you need both your PIN (something you know) and your ATM card (something you have) to access your bank account. As more financial services move online, financial organisations need this added layer of security to protect customers and their assets.
Any organisation that processes and stores card payment information also has to comply with PCI-DSS. This means they may have to go a step further, providing more than two authentication factors to ensure their security. Since PCI-DSS version 3.2, these organisations have also had to change vendor-supplied default credentials and named accounts for every user who has access to cardholder information.
Another example of 2FA in practice in the financial industry is the Sarbanes-Oxley (SOX) Act of 2002. SOX does not explicitly state that 2FA is a compliance requirement, but it does call for strict internal controls on financial information. Similarly, the Gramm-Leach-Billey Act (GLBA) also does not dictate password policy but does require businesses to create and follow appropriate measures to safeguard their customer’s financial information. Single password authentication solutions are not secure enough to comply with the strict internal controls required by SOX and the safeguards required by GLBA. Although these policies do not explicitly state it, it’s wise to implement 2FA. With over a billion text passwords available online following various data breaches, no organisation should consider themselves totally immune to a data breach, but 2FA—or even better, multi-factor authentication (MFA)—can mitigate the risk.
The Health Insurance Portability and Accountability Act (HIPAA) was created to protect the privacy of an individual’s healthcare information. Under HIPAA, healthcare organisations need to put measures in place to enforce password security. This does not dictate the implementation of 2FA but does require organisations to address password security practices. As in the finance industry, 2FA can ensure that healthcare organisations have high standards of password security and are compliant with industry regulations.
The US Military uses 2FA authentication via the Common Access Card (CAC) issued to active duty Uniformed Service personnel, Selected Reserve, DoD civilian employees, and eligible contractors. This card provides military users with physical access to buildings and controlled spaces and also provides access to DoD computer networks and systems.
US Law Enforcement agencies who utilise the Criminal Justice Information Services (CJIS) Division of the FBI require multi-factor authentication (MFA) to access the National Crime Information Center (NCIC). If US Law Enforcement officers access the NCIC via a mobile terminal, handheld device, or from an unsecured location, they require 2FA. This requirement further demonstrates the real-world application of 2FA where single-factor authentication systems can’t provide the level of security needed to keep vital data safe.
For several years, 2FA has been a mandatory requirement for accessing government websites. This action plan has also instructed the National Cyber Security Alliance (NCSA), a non-profit, public-private partnership, to partner with leading technology vendors such as Google, Facebook, and Microsoft to promote the use of 2FA. These initiatives instituted by the US Government demonstrate that 2FA is a genuine solution for mitigating risks inherent in single password authentication systems.
The Global Requirement for Two Factor Authentication
Even if an organisation is not obligated to abide by the terms set out in the regulations or judicial and governmental requirements discussed, 2FA is still highly valuable. Automated password attacks, such as credential stuffing and password spraying, take advantage of poor password practices. Implementing a 2FA solution can help any organisation fortify the security of their systems, data, and customer information. In an online world where passwords are the only defence mechanism protecting systems for unauthorised access, 2FA is no longer a ‘nice to have’ but a genuine necessity.
Okta provides multiple 2FA options with its Adaptive Multi-Factor Authentication (AMFA) solution. Not only can organisations choose from a variety of factors such as One Time Pins and biometrics to secure their systems, the contextual awareness of AMFA provides an added layer of security as it takes factors such as the user’s device and location into account before granting access.