Deploying two-factor authentication (2fa) gives you account security, peace of mind, and a safeguard for the things you don’t see coming – just like a seatbelt.
Using a seatbelt doesn’t cost you a thing. You don’t wear it thinking “OK, well I need to see if it’s worth it, so let me get in a crash” or “I bet I’m going to get in a crash today, so I better use this thing!”
It’s there as insurance, as protection, as a safety net (or belt, literally) just in case something happens.
The same rings true for using two-factor authentication (2fa). You hope you never need it, but when something big hits, you are sure thankful for its existence.
Using 2fa doesn’t cost a thing, either. Sure, it may take a few more moments of your time, just like clicking in your seatbelt, but damn does it do the job.
The same goes for an airbag (you don’t set out to crash your car to check if it works) and even auto insurance (you don’t get auto insurance thinking, “Two weeks from now I’m going to have a crash, better get insured now”).
We think the folks at PCmag said it very astutely and poignantly – “being secure isn’t easy. The bad guys count on you being lax in protecting yourself.” In essence, you could lose everything because you’re unwilling to spend extra moments with 2fa on each log in.
There’s a big reason why the biggest players out there – Facebook, Apple, Macintosh, Google, Dropbox, on and on – deploy and recommend 2fa.
We here at GetResponse use 2fa internally, and we offer it externally for our customers as a security feature inside the GetResponse app. Why? Because a few extra seconds to save thousands of people’s data (our customers as well as our own) is well worth it.
Let’s look into what 2fa is, exactly, why it is so incredibly valuable, and why it’s under used.
Table Of Contents
What is two-factor authentication, and why now?
As we’ve discussed ourselves here and here, and as has been widely reported around the ole world wide web, hacking and phishing have seen a massive increase over the past year-plus, basically since the worldwide pandemic hit last year.
In fact, phishing attacks doubled in 2020, according to a report by APWG.
The reason is simple – opportunity. People and their money are turning online more and more every day, and that means there are more people and opportunities for thieves every day. Thieves of money, identity, of personal and valuable information, they always turn to where the opportunity is.
Now let’s picture a door that only has one standard doorknob lock, versus one that has multiple deadbolts on it and even a retina scanner.
Which will be easier to access, to get inside and gain the goods? Obviously, it’s door No. 1.
And two-factor authentication is door No. 2. It is a major deterrent to identity theft, hacking, and being able to get data on you and your customers.
As Apple put it, “with two-factor authentication, only you can access your account on a trusted device or the web.”
You put in a password, then confirm it via a secondary method such as a verification code, security key, or other authentication code.
Another way to think of it is needing both your bank card and your pin number to access your account at a cash machine (ATM), an example highlighted by Wikipedia (yeah, we sourced them, but c’mon that’s a good example!).
Looking at the why question, instead we ask, “why not?”
A simple Google search shows this answer for the question “Why is two-factor authentication bad?”
“Many users report that the additional hurdles of two-factor authentication are overly inconvenient, which can cause annoyed users to cut corners and take shortcuts that make the system more vulnerable.”
If “inconvenience” is the best negative that comes up, well, for us that’s not really a reason but an excuse.
How does two-factor authentication work?
Wow, you ask great questions.
There are numerous ways to deploy 2fa, such as being asked about your trusted devices if you’re signing in from a new computer or mobile device, such as a new or borrowed iPhone, etc. There is also the trusted phone numbers route, where you’ve already provided your personal phone number so that you can receive a text or even phone call to confirm your identity. And there are verification codes, such as being sent a temporary code that only works for you and what you are trying to do.
For instance, you or your customer needs a password to login. Instead of the password triggering entrance, a second prompt arrives, asking to confirm that it really is you trying to login, with the prompt asking you to confirm via:
- Your Voice
- Push notifications
- Soft tokes
- Or more recently, even using an app and your fingerprint (on an iOS device) or other biometric identifiers such as facial or eye recognition
Again, we cue up the trusty PCMag.com which highlights some other apps that are reliable as well, stating, “there are several including some from big names like Microsoft and Google with apps for both major mobile platforms. Those two are pretty basic. Others, such as Twilio Authy, Duo Mobile, and LastPass Authenticator, all do the same thing, essentially, some with password management and other features. Conversely, the majority of popular password managers (like LastPass) all offer 2FA authentication by default.”
One more method is using a password manager.
“Password managers are the gold standard of security,” said GetResponse IT Security Expert Bartosz Nowicki. “(A user can have) one password to secure all their unique passwords per a service with a 2FA code inside, which makes a unique – and really easy –experience at the very end.”
What’s the point?
Let’s say someone gains access to your website or other asset where a login is required. They now have the power to blackmail you, to use your data for malicious reasons, or to just ruin your whole operation.
To put it in some tangible terms, last year Microsoft said that, on average, approximately 0.5% of all accounts get compromised each month. Maybe that seems like a low percentage, but that equalled 1.2 million accounts in January 2020. One-point-two million.
And someone gets that access, they can do a lot more harm to everyone – and to you personally.
Beyond that though, they now have gained access to your customer’s data. And that’s a massive loss and cost. Gaining their trust back isn’t impossible, but it will be difficult.
Now imagine that your customers realize this was all entirely preventable, with a super simple solution. And that extra step was ignored or just not deployed, so now they’re vulnerable and suffering with identity and data (and even monetary) losses.
How clever are those new phishers?
Over this past year-plus we are seeing phishing being sent in two scenarios:
- One is an account is a completely new account is created sending phishing messages
- The other is a compromise account, or account takeover and try to imitate real accounts to get access by prompting the user to click something or give information
The problem is when damage control is done with one tactic, say for instance something is implemented to limit phishing new accounts, an increase in the account takeover rises, and vice versa.
“They just switch their modus operandi and send them another way,” said Piotr Mathea, GetResponse’s Director of Anti-Abuse.
So now account takeovers have spiked in the last six to nine months as phishing scammers are being deterred better and more effectively.
“It’s opportunistic – it’s getting easier and easier to create emails that are really good at pretending they are something different,” Mathea said.
You’ve surely seen these accounts or been warned of them by someone, most likely your bank provider alerting you to scamming going on. They say to always double-check the sender address to make sure it’s valid.
Let’s look at how easy it is to mimic an account that if not inspected, can slip right through the cracks.
For instance, your marketing email account is AwesomeMarketing@SuperDuperMarketing.com.
A fake account is made and sent to your users to phish them, and they just make something like AwesomeMarketing@SuperDuperMarketing2.com or AwesomeMarketing@SuperDuperMarketingTom.com.
Voluntary, not mandatory
We at GetResponse do not force anyone to use 2fa. We want to provide knowledge and education about what it is and why we think it’s important.
We’ve started to live online more and more, as a new generation of digital natives are getting older and older, more and more valuable stuff is being held online.
We don’t make any user give us their phone number, but we ask for it, so that we can require confirmation via phone on a suspicious login – but we can only do such a thing when we verified a phone number prior to the incident.
If we didn’t, we cannot be sure the confirmation text we send will be delivered to a proper phone number. That limits our ability to verify login attempts from unknown devices. We are in a better position to send a confirmation request to an email address. However, in cases of the single password in all places, that channel can be compromised as well, but it’s still better than nothing.
Can’t thieves get in anyway?
Going back to the seatbelt analogy. Sure, it isn’t foolproof with a 100% guaranteed success rate, but in most cases, it prevents harm or further harm, and keeps you in place when catastrophe strikes.
Say you’re protecting yourself from a drunk driver, from a deer running onto the road – you don’t know if it’s going to happen but you want to have this insurance. It won’t protect you from the accident happening, but will help a lot in recovery from the incident and limiting the harm as much as possible.
2fa won’t prevent evil doers online from stealing credentials but it will prevent them from using those stolen credentials, or from you losing them even further.
No really, we really, really recommend using two-factor authentication
Take a moment, fasten your seatbelt, and drive through the online world a lot more safely going forward knowing you’ve taken the best preventative measures – just in case.
“Given a chance you should always 2FA,” Mathea concluded.