OpenVPN is proud to be a sponsor of the CISO/Security Vendor Relationship Podcast, which examines the relationships between CISOs and vendors, and how they work together to combat ever-increasing cyber attacks. The last podcast of April, We’re Gonna Run These Pen Test Exercises Until You Turn Purple, heard from David Spark, Mike Johnson, and Priceline CISO Matt Southworth on topics such as purple-teaming, the Corporate Executive Accountability Act, how to move into a CISO (Chief Information Security Officer) position, and the significance of 2FA.
We wanted to recap one of the important security tips discussed on this segment: 2-factor authentication (2FA). 2FA is something that businesses need to implement now that we are entering a new era where the traditional password doesn’t cut it — because despite training and policies, some employees just won’t choose passwords strong enough to get the job done.
Don’t Depend on Single Factor Authentication
To be secure, passwords have to be long, complex, hard to guess, unique across all accounts, and changed regularly. But for the sake of convenience, most employees choose short, simple, weak passwords — and often use the same password for absolutely everything.
And contrary to popular belief, adding in password challenge questions don’t help the situation much — because in most cases the challenge answers are factual, searchable information. Public records could quickly provide a hacker with the street an employee grew up on, where they went to school, or their mother’s maiden name. A quick social media sweep could reveal their first pets name, where they like to vacation, or what their favorite movie is. Do you really want the safety and security of your organization to hinge on a last name?
What is 2FA, and what are the best 2FA methods?
In short, 2FA means that two separate identifiers are required for your employee to gain access to a particular account. These identifiers are broken into what the employee knows, and what they have — such as knowing a strong and complex password, and having something like a phone that can receive SMS messages, a physical token, a time or location limited message, or something biometric, like a fingerprint scanner.
Currently, the SMS message is the most popular “second factor,” but security analysts say this is still the weakest option because hackers could intercept the 2FA code. A better option is to use biometric authentication or an authentication app. When logging in, employees’ passwords will serve as “something they know,” and the app or biometric data will serve as “something they have.”
Biometric authentication is a great (and easy to deal with) 2FA option, because it’s not time-consuming, and it can be more secure than other kinds of authentication. While hackers might be able to intercept SMS codes or emails, they can’t change their fingerprint or entire face to trick the system.
Authentication apps are also becoming very popular because they are easy to use and affordable — in fact, many 2FA apps available are free to use. While different apps authenticate through various methods, most are very user-friendly and quick to use, so your employees aren’t sitting around for long periods waiting for the second authentication step. Apps like Authy also offer TouchID, encrypted backups, and can be used across multiple devices, and Google Authenticator is supported by our commercial Access Server product — making it even easier for employees to stay safe.
Wrapping It Up
Businesses can benefit greatly from implementing 2-factor authentication — the improved security means that attackers are less likely to impersonate employees and gain access to devices and networks containing sensitive business resources. While not impenetrable, 2FA is one of the best options out there for authentication security. When coupled with a reputable VPN solution like the OpenVPN Access Server, you can protect your business on multiple fronts. 2FA will decrease the risk posed by a compromise of sensitive login info, and Access Server will allow you to provide secure access for employees regardless of where they are working, greater access control, and stronger network access overall.