You don’t have to increase spending to improve cybersecurity, but every business can be more strategic about what they spend where.
Mobile two-factor authentication (2FA) is not a new concept.
This process has been standard for several years in the banking industry.
Now that technology has advanced, mobile two-factor authentication has moved forward as well, but is anything truly secure with mobile devices?
Although nothing is foolproof, mobile two-factor authentication can be critical to maintaining cybersecurity.
What is two-factor authentication?
Two-factor authentication references other systems that double-check the authenticity of your identity.
It’s an attempt to verify that you are who you say you are, particularly when accessing financial accounts and using credit cards.
Typically, the user enters a password and then verifies their identity a second time by entering a code received via text message.
Mobile two-factor authentication has proven to be valuable for uses beyond banking, and other industries have adopted the security measure as well, including social media platforms and email platforms.
Because hacking into social media or email accounts can disrupt business, access to one password often grants access to other, more important systems.
There are three common authentication methods used in conjunction with passwords:
- Personal knowledge – This is usually a PIN or answer to a secret question: information that typically only the account holder knows. This is the least reliable method of 2FA, as hackers can quite easily obtain personal information.
- Physical device – This verifies the user’s identity based on something that the user possesses, such as a phone or USB dongle. The problem that arises with this method is that such possessions can be stolen, allowing hackers access to secure accounts. They may even be able to intercept text messages.
- Biological factor – Face or voice recognition are becoming more popular, along with fingerprints, signatures, and retina scans. Although these are some of the most secure authentication methods, they tend to be the most expensive to implement and are therefore often unavailable.
The benefits of two-factor authentication
Two-factor authentication demands that you need more than just a password to access your accounts, adding an extra layer of protection to your secured networks.
There are concerns that mobile 2FA in itself poses a security risk, as text messages or calls are not secure.
While still widely used, SMS is no longer a recommended format for 2-factor authentication, as the National Institute of Standards and Technology (NIST) is recommending an alternative to SMS for security purposes.
Luckily, authentication apps are becoming more popular, with the use of one-time passcodes that expire in seconds and vary constantly.
Such apps make mobile 2FA much harder to track, and hackers must employ sophisticated methods for a breach to be successful.
In most cases, hackers will move on to accounts that are easier to access.
So, does two-factor authentication improve security?
The short answer is yes, two-factor authentication does work when implemented properly.
But like everything else, the security is in the implementation.
Biometrics and physical authenticators (such as a USB dongle) are more secure than a text message or social media login to authenticate identity.
Because nearly everyone carries a mobile device in today’s business world, employing two-factor authentication through mobile 2FA, apps, and other innovative security solutions easily accessible to most employees offer another security layer an organization can implement to reduce risk.
The modern workforce, with its need for remote work locations and mobile applications, has certainly been good for productivity, but it has also opened new doors for hackers.
Malicious attackers are always looking for new opportunities to compromise your data.
Office 365 is an essential business tool, hackers have seen it as an effortless means of gaining access to company networks.
Recent O365 brute force attacks against multiple organizations highlight the ingenuity of attackers and the need to address the vulnerability of Office 365.
What Is a Brute Force Attack?
A brute force attack occurs when hackers use automated scripts to cycle through as many attempts as possible to crack someone’s password.
While cloud service providers are ever on the lookout for brute force attacks, the concerted effort against Office 365 has been causing the most issues lately.
Hackers, to remain undetected, have been attempting to fly under the radar with their attacks, exploiting user accounts and passwords obtained from earlier breaches suffered by Dropbox and LinkedIn.
Knowing that some people use the same password on multiple accounts, hackers slowly and methodically try every conceivable email and password combination, in the hopes of finding one that lets them in.
All it takes is one person reusing the same password and username on more than one site to give hackers access, which is why hackers have generally been successful.
In the last attack, there were 100,000 failed logins from 67 different IP addresses and 12 different networks.
This demonstrates a coordinated effort against high-value targets in a strategic manner that avoided detection, also suggesting that hackers already had access to some personal information.
Username–Password Authentication is Not Enough
Many businesses continue to rely on username-password authentication for login purposes, but given current cybersecurity threats, that is no longer adequate.
An organization’s security infrastructure must involve multi-factor authentication, due to attacks stemming largely as a result of weak identity security and phishing email scams.
Although current versions of Office 365 support basic two-factor authentication, older Microsoft clients and third-party email applications do not have this feature.
Furthermore, multi-factor authentication must be manually activated and updated. It is critical for all businesses to take the steps necessary to protect their sensitive data linked to Office 365.
What You Can Do
- Use built-in security features – Although built-in features aren’t always enough to prevent malicious attacks, they do provide an added layer that can boost overall security. Office 365 is equipped with an intuitive junk-mail filter that can help distinguish between spam, phishing, and legitimate emails. You can also upgrade to Advanced Threat Protection, which is an extension of an Office 365 subscription.
- Upgrade your system – Make sure that your security system, as well as your Office 365 subscription, is up to date. Failure to install an update can leave your cyber doors wide open.
- Disable email hyperlinks – This option is not the most user-friendly, but it can be effective. Disabling links within an email can reject a hacker’s attempt to bury a false URL.
- Educate users – Human error is the crux of most successful phishing attacks. Educate your employees and clients on how to identify phishing attempts, and you can prevent a major breach in your systems.
The ITeam supports all of your Office 365 needs and partners with you to make sure you can make the transition and manage the service effectively. Because of the risk, these O365 brute force attacks represent, we now require our clients using RDP implement multifactor authentication with O365. To learn more about our Microsoft O365 services, visit https://theiteam.ca/office-365/ or contact us.
Security breaches are a daily occurrence, making headlines on a regular basis.
Costly incidents are happening more and more frequently across all industries and businesses.
Every business leader is charged with beefing up IT security and protecting both proprietary data and customer information, but network security alone is no longer enough.
Multifactor authentication is one of many new layers of security that businesses must consider, to help thwart additional attacks.
What Is Multifactor Authentication?
Multifactor authentication (MFA), sometimes called two-factor authentication, is a crucial security layer requiring more than one authentication method to verify a user’s identity.
It blocks all access to a device, network, or terminal unless two of three factors are provided: something you have, something you know, or something you are.
These independent identity authorizations include a password, a security token, and often, a biometric verification.
How Multifactor Authentication Works
MFA makes it virtually impossible for someone to hack into a user’s devices, the network, or a database.
Most consumers use multifactor authorization all the time without realizing it. When you use a bank’s ATM machine, you swipe a card and enter a pin.
That is multifactor authorization.
But businesses need to begin recognizing the significance of containing security breaches by implementing MFA as a part of their overall IT security strategy.
The combinations for multifactor authentication are limitless:
Card swipe + pin
- Username + password + texted access code
- Card swipe + fingerprint + security question or password
Cyber Attacks Costs Everyone
Multifactor authentication technology should not replace existing security (firewalls, malware detection, hosted email exchange, offsite backup and recovery).
Instead should be used to augment security, making it far more difficult for anyone other than the intended party to access sensitive information.
Combined with other security measures, such as stronger employee passwords, robust email security, and secure hosted services, multifactor authentication is an essential element of your organization’s overall security efforts.
MFA can prevent hackers from achieving a brute force entry into your network.
It’s much harder to breach a network using a fingerprint or a one-time-use access code texted to a single mobile device than it is to guess an employee’s password that is likely written on a sticky note under their keyboard.
As technology fundamentally changes how we do business, serve customers, and meet compliance standards, business leaders must re-evaluate whether their current IT strategies are meeting their needs.
Suite 200, 1210 8 Street SW
Calgary, AB T2R 1L3
Suite 200, 1210 8 Street SW
Calgary, AB T2R 1L3
(Mountain Standard Time)
The ITeam $$ (403) 750-2540 Calgary, AB5
stars"The ITeam provides peace of mind with high level security and superb customer service." - Jeff B.