2014-03-06

Many of us are familiar with single-factor authentication, where one form of identity verification allows you to pass through a security barrier to access protected data—entering a password to log into your email account, for example. Small businesses use single-factor authentication to gain access to numerous accounts daily, including email and social media.

In the past few years, however, a series of security breaches have highlighted how easy it is to break through one-step authentication. To better secure their online accounts, businesses must turn to higher levels of security.

Two-factor authentication is one solution. In a two-factor (or any other multi-factor) authentication scheme, systems are secured in multiple ways using one or more of the following factors:

Knowledge: Something you know, e.g. a password, code or personal identification number (PIN).

Possession: Something you possess, e.g a door key.

Inherence: Something you have inherently, e.g. fingerprint, voiceprint or facial recognition.

Introducing a second factor of authentication improves security for the simple reason that a single point of authentication is also a single point of failure. With two-factor authentication, an added layer of security prevents unauthorized access even if the first point fails—if you lose your ATM card, a thief still needs to know your PIN code to use it.

Businesses continue to expand their online operations, but most use weak authentication to secure their accounts, which puts their data at risk.

“You could leave your house key under your welcome mat, but anyone with a mind to break in knows where to look,” explains Roman Gonzalez of two-factor identification firm Toopher. “Hackers go after low-hanging fruit.”

So why hasn’t every business started using some form of two-factor authentication? Some may simply not know what two-factor authentication is, or how to use it. Others may be aware of it, but view it as more trouble than it’s worth.

In reality, however, it’s fairly simple to secure most of the accounts your small business uses daily. Let’s take a closer look at how to do so.

What Accounts Should You Protect First?

There’s an ever-growing list of services that provide two-factor authentication for user accounts. Ideally, your organization should protect every account as fully as possible. The most important sites to protect, however, are banking and payment systems, email, cloud storage sites and social media accounts.

➔ Banking accounts: Some of the most popular banks in the U.S. offer two-factor authentication, including Bank of America, Citigroup, USAA and Ally Bank (click on the links to learn more about how to enable this feature for each).

Additionally, some banks offer a token-based solution—a keychain-sized device used specifically for online authentication—that you can request through online customer support or your local branch.

➔ Other payment accounts: Because users frequently link banking accounts to other accounts through which they may make or receive payments, protecting these other accounts is also extremely important. Click on the links to find the instructions for PayPal, Charles Schwab and E*Trade.

➔ Email accounts: Email can be especially crucial, because messages may contain details of many of your other accounts, including login and password information, security questions and details about your activity on those accounts.

Follow the links for more information on how to secure your Gmail, Outlook and Yahoo! accounts.

➔ Cloud storage accounts: Many businesses use cloud storage sites for sharing and for backup of sensitive data. Here’s how you can improve the security of your Dropbox, Google Drive, SkyDrive/OneDrive, Amazon Web Services and Evernote data.

➔ Social media accounts: While social media accounts don’t typically house valuable corporate information, hackers who compromise a company’s account can cause serious, far-reaching consequences. Here are the steps you can take to keep your identity safe at Facebook, Twitter, LinkedIn and Google+.

Using Third-Party Applications to Protect Accounts

If your business uses a system or account that doesn’t offer two-factor authentication, third-party applications can provide that extra layer of security.

These include “password vaults”—applications that allow you to use a single password to unlock unique passwords for every site you access. Among the more popular are 1Password, LastPass, and RoboForm.

These applications generate strong, hard-to-guess passwords for each site you ask it to remember. They’re stored in a single location on your computer, which you use a master password to unlock.

These applications provide two key security strengths: they help avoid password reuse among sites and remembers those strong, yet impossible to recall password experts recommend using (e.g. k$J2*@br9G+q).

LastPass is the only one of the three solutions that currently offers its own internal multi-factor authentication. This is configurable through a number of methods, including Google Authenticator, Microsoft Authenticator and Toopher (among others). LastPass is also free to try, and many of its premium features are offered in the free package.

What Employee Accounts Should You Protect?

Protection of your firm entails two key steps: defending against the most vulnerable weaknesses and protecting against those threats with the greatest potential to cause harm.

Unlike a physical break-in, an account compromise may go unnoticed for some time, during which an attacker may have free reign over a business’ proprietary data.

For this reason, system administrators, CEOs, executives and anyone else with elevated authority or access in an organization must take additional precautions, because their systems (or their authority) can lead an account compromise to cause company-wide havoc.

You should also consider the nature of the data in these employee accounts. A CEO’s Dropbox account containing stock thumbnail images, for example, is not something that usually warrants two-factor authentication.

An account containing client credit card and/or account information, on the other hand, should absolutely be secured with an extra step.

The additional security offered by two-factor authentication makes it a smart choice for any business.  Remember that protecting your organization through two-factor authentication entails protecting both your corporate accounts and those of individual personnel. When done right, it can help prevent catastrophic breaches no business wants to endure.

“Locks and Keys” created by locksmith Services used under CC BY / Resized.

Show more