Not all two-factor authentication methods are created equal. Here’s a walkthrough of the three most common two-factor authentication examples and the pros and cons of each.
- Code Texts or Emails
Most connected device users are familiar with this approach to two-factor authentication. Whenever they log into one of their accounts, they will receive a text or email with a randomly generated one-time-use code that will grant them access to their account. The good news is this method doesn’t require a high-tech phone or app to use. There are also options to have the access codes read aloud via robocall, which is a good alternative for the visually impaired or inexperienced users who find it difficult to make their way around apps.
Unfortunately, text or email authentication comes with its own variety of security issues. SMS-based two-factor authentication is vulnerable to all the technical difficulties that plague normal cell phone use like poor connectivity, carrier issues, and roaming. If you’re in an area with less than stellar cell phone reception, the code might not get through—which can make it difficult to access accounts while traveling.
Code texts and emails are also the easiest for hackers to crack. Phishing attacks are at an all-time high, and texts are the most likely target. “Porting” is when cyber scammers trick users into entering their two-factor authentication access code into a fake website and then clone their phone number. Once that happens, the hacker can intercept future codes and gain access to their personal accounts.
- Phone Apps
Phone app authentication is a step up from SMS or email. With this method, the user downloads a mobile app like Google Authenticator that can read QR codes. The user then scans the QR code for the website they want to access, and Google Authenticator generates a code to send to their smartphone. Once received, the user inputs both the code and the regular password to gain access to the site.
This two-factor authentication solution reduces some of the technical issues of code texts or emails because it doesn’t require internet access. And since the access codes are generated directly on the device, it’s harder for hackers to intercept them or launch phishing attacks. It’s also faster to input security codes using push notifications, which is something MSPs should consider if they want to offer customers the least obtrusive two-factor authentication experience.
Finally, many users also feel more secure with phone apps because most of them will send out alerts about attempted logins detected on a device. If the user didn’t authorize the login attempt, they know a hacker is trying to gain access to their account and they can take preventative measures.
However, if the user’s phone dies or they lose it and don’t have copies of the QR code saved elsewhere, there’s no way to get it back in a timely fashion. Push notifications also require a cellular connection, which might be problematic if your clients are trying to access their accounts in a subway tunnel or anywhere else where a cellular data connection could go in and out. Finally, it’s important to keep in mind that a user needs to own a smartphone in the first place to utilize phone app authentication.
- Physical Security Keys
Physical security keys are as secure as you can get when it comes to two-factor authentication for small businesses. This method requires the user to insert a physical key into the device to verify their identity—instead of relying on a numerical code. An unknown cyberattacker thousands of miles across the globe won’t be able to reach into your customers’ pockets and retrieve their access key (no matter how adept of a hacker they are). You can buy quality keys for as little as $20, but make sure you purchase one that’s in compliance with FIDO2 security standards.
However, one downside to physical security keys is your customers must make sure they always carry it with them to access their accounts. This can be a hassle and leaves users vulnerable if they lose or misplace their keys. Since physical two-factor authentication adoption has been a little slow, they’re currently only compatible with devices with standard USB or USB-C ports. iPhone users will have to wait until a Lightning version debuts.
Two-Factor Authentication Best Practices
Regardless of which two-factor authentication solution you choose for your clients, what matters most is that you pick one. If you connect your account to the internet, you should assume a hacker will try to get into it at some point. This goes double for MSPs with customers who handle highly sensitive information on a day-to-day basis. Two-factor authentication holds cybersecurity to a higher standard and should be a prerequisite for companies dealing with sensitive data.
After implementing two-factor authentication capabilities on their customers’ devices, here are some more authentication best practices MSPs can employ to enhance the end user experience.
- Implement two-factor authentication across the entire suite of devices, not just for certain devices or accounts.
- Customize two-factor authentication messages so your customers will be able to recognize spam messages more easily.
- Enable push notifications.
- Make authentication passcodes longer than six digits.
- Keep an eye on time drift, synchronization, and validity windows.
Is Two-Factor Authentication Hackable?
Two-factor authentication is hackable to the extent all devices or accounts connected to the internet are hackable. Bad actors have successfully cracked two-factor authentication in the past, but it is extremely rare. It’s much more likely that human error will leave accounts vulnerable. The best way to prevent cybersecurity threats on your customers’ accounts is to educate them about the latest threats, teach them about the dangers of social engineering, and have a comprehensive backup system in place to salvage data in the event of an attack.
If you have a variety of customers with different backup solutions, it wouldn’t take much for things to get out of hand. With SolarWinds® Backup, MSPs receive gapless server, workstation, document, and application backup from a single dashboard. Check statuses and schedule backups with ease. By keeping all your backup needs in your own, single-tenant cloud, Backup reduces your hardware costs and makes your cloud services work harder for you. SolarWinds Backup also features a variety of auto-recovery and archiving options to ensure your customers never lose a single file.
Interested in learning more about how to securely back up your servers and critical applications? Explore our product suite to see how you can prepare for potential disasters.