Authenticating a user before allowing them access to a secure application is a crucial security step needed to protect the digital assets of your organisation. The username and password combination has long been the conventional mechanism used to authenticate users and prove identity, but password security is inherently flawed. Poor password hygiene practices, such as reusing the same password for multiple apps or choosing a simple, guessable password, put operations at risk. To counter this threat, you can turn to advanced forms of authentication.
Two-Factor Authentication (2FA) is an added layer of security that requires a user to submit an additional authentication factor along with their username and password. This second authentication factor is usually something the user has (a smart card or hardware token) or something that is unique to the user (a fingerprint or iris scan). This multi-layered, defence-in-depth approach to authentication mitigates the risk of the automated attacks that plague single-password authentication solutions.
To date, the use of 2FA to protect systems is not mandatory for every industry. However, 2FA is a needed measure to comply with particular password restrictions in sectors such as finance, healthcare, defence, law enforcement, and government, among others.
Finance
The finance industry has long used 2FA technology. In fact, each time you use an ATM, you are using 2FA—you need both your PIN (something you know) and your ATM card (something you have) to access your bank account. As more financial services move online, financial organisations need this added layer of security to protect customers and their assets.
Any organisation that processes and stores card payment information also has to comply with PCI-DSS. This means they may have to go a step further, providing more than two authentication factors to ensure their security. Since PCI-DSS version 3.2, these organisations have also had to change vendor-supplied default credentials and named accounts for every user who has access to cardholder information.
Another example of 2FA in practice in the financial industry is the Sarbanes-Oxley (SOX) Act of 2002. SOX does not explicitly state that 2FA is a compliance requirement, but it does call for stric