Two-Factor Authentication (2FA)

Who uses 2FA?

Two factor authentication is used across many industries that require user authentication and device trust, beyond usernames and passwords. 2FA technology is often championed by an organization’s security team, Chief Information Security Officer, or information technology team, but it affects departments throughout the business. Below is a list of the top five industries where 2FA is a crucial information security strategy:

  • Healthcare: Due to the incredibly sensitive personally identifiable information protected by hospitals and other healthcare organizations, two factor authentication is commonly used to secure user accounts (doctors, patients, administrative staff).

  • Finance: Financial institutions use 2FA to protect against data breaches and to comply with the growing security demands of users and auditors. The highly sensitive and valuable data protected by financial firms makes them prime targets for cyber criminals.

  • State & Federal Government: Both state and federal governments are under constant threat of cyber attacks. In response, governments are implementing two factor authentication in addition to traditional passwords. With 2FA, a hacker would have to capture an end user’s mobile device, even if their password is compromised.

  • Education: Educational institutions from elementary schools to universities implement 2FA solutions to protect the data of their students and staff. Students, teachers, and administrators log into sensitive web portals with 2FA in addition to the traditional passwords.

  • Law Enforcement: Two factor authentication is used by government agencies of all sized — from the FBI, and CIA, down to local police departments in order to protect sensitive data. Law enforcement administrators can confirm the location, IP address, and username of any user attempting to log into their networks. This is another layer of protection against potential external threats.

How effective is 2FA?

2FA protects against phishing, social engineering and password brute-force attacks and secures your logins from attackers exploiting weak or stolen credentials. This dramatically improves the security of login attempts. 2FA has also been shown to block nearly all automated bot-related attacks.

About 81% of confirmed data breaches in the Accommodations industry involved stolen credentials. – Source: Verizon 2018 Data Breach Investigations Report

Which authentication method is best?

At Duo, we recommend push-based, FIDO Security Key, and biometric authentication, because these make it very difficult for an attacker to pose as an authorized user.

Push-based 2FA: Most push-based authentications can’t be approved unless a user’s phone is unlocked. This requirement makes push-based 2FA more secure than passcode-based 2FA, which often delivers a code that can be seen on lock screens or other SMS-enabled devices. With push-based 2FA, simple security measures like a passcode or biometric identification go a long way, protecting applications with a layer of information only device owners would possess.

Webauthn: Webauthn-based authentication requires users to approve access requests via a mechanism that’s attached to their device. Webauthn taps into users’ built-in biometric authenticators, negating the need for both passcodes and physical hardware. For devices that don’t contain a built-in biometric sensor, USB-based FIDO security keys, such as the YubiKey by Yubico can bridge the gap. With Webauthn, the world of information security moves one step closer to true password-less authentication.

What’s the difference between 2FA and MFA?

Two-factor authentication (2FA) is a subset of multi-factor authentication. There are as many potential factors of authentication as there are ways to confirm a user’s identity (location, fingerprints, face, security keys), and any security protocol that involves three or more is considered MFA. 2FA is the most common and easily accessible subset of MFA that requires two factors of authentication.

How will 2FA improve my technical infrastructure?

2FA often reduces the need for device-specific or application-specific security tools, like MDMs. With 2FA, companies are able to protect a broader scope of information and technical environments, allowing them to consolidate and/or forego solutions that may not be adding to the overall security landscape. Reducing total cost of ownership is an ongoing initiative for many companies, especially when it comes to IT, and protecting more information with 2FA can drive progress toward that goal.

At Duo, we recognize the value of streamlining technical infrastructure, so we’ve built broad application and device coverage right into our 2FA solution. Learn more about how Duo helps make life easier for IT administrators.

Can I use 2FA in a hybrid environment?

The short answer is: “yes.” Most companies need to protect both cloud-based and on-premesis applications, so it’s smart for 2FA vendors to accommodate both types.

However, that doesn’t mean all 2FA vendors can protect all applications. Some are tailored to specific productivity tools or require additional drivers or software to protect a greater breadth of information. Duo’s 2FA solution is designed to work with the broadest range of applications and devices — so no matter what you need to protect, Duo can help.

How do I make sure my users keep their devices updated?

Rigorous device health standards are an essential part of any effective security framework. To truly be secure, every single device that requests access to an application should meet your organization’s security standards. But depending on the complexity of your security protocols, it can be difficult to ensure every device has the latest operating system, has screenlock enabled, is properly encrypted — the list goes on.

Some 2FA solutions build in the option for device health checks, so administrators can warn users that unless they update their software or change their device settings, they’ll be unable to access the services they need. Duo’s self-remediation features are designed specifically to not only warn or block users based on device health, but to help users comply with security regulations without needing to get an IT professional involved.

The easier it is for users to meet security standards, the more likely they are to keep their devices compliant — saving administrators a lot of headaches over time.

What if a user loses their mobile device?

2FA relies on users to have a device with which to authenticate. If that smartphone or laptop is lost or stolen, there’s a heightened risk that unauthorized entities will be able to access your important data. So, generally, users should be aware of their devices’ locations at all times, and they should be cautious about letting others use their devices.

That’s not a security guarantee, though — we’ve all lost (or thought we lost) a device or two somewhere along the road. It happens. Fortunately, 2FA technology can actually make it easier to protect the information to which those devices have access. Security solutions that install directly onto users’ devices (MDMs, etc.) can often lock or shut down devices remotely, protecting mission-critical information even when a user doesn’t physically have their device with them. Duo works similarly, but it doesn’t require installation of any additional drivers or software. Users can easily self-enroll in 2FA via an app on their devices, so no matter where in the world they travel or what technology they use, your information stays secure.

Can I limit access to some applications but not others?

With a good adaptive authentication solution, yes! And as the security industry evolves, it becomes ever more important to do so. Remember, the goal of a security policy is to limit access to as few people as possible — and that concept applies at the application level, too. To truly reduce the possibility of a breach, each user should be able to authenticate to as few applications as possible, and their level of access should be based on the information they need to access.