What You Should Do When Two-Factor Authentication Becomes a Security Requirement

The desire for enhanced digital security has caught the attention of governments worldwide, all looking to protect consumers and businesses. As a result, many have proposed legislation that makes two-factor authentication (2FA) a mandatory requirement for IT systems.

Mandating a 2FA Requirement

On May 12, 2021, US President Joe Biden issued an executive order making 2FA a legal requirement for all government agencies. Federal agencies like the FBI, the Department of Homeland Security and the National Security Agency were given 180 days to implement 2FA protection for all data.

In the UK, the National Cyber Security Centre (NCSC) issued strong guidance to British businesses in the face of increased threats from foreign agencies. Included among the recommendations was the inclusion of 2FA login protections for their systems.

Similar 2FA requirements are becoming more common in industry frameworks, too. The Payment Card Industry Data Security Standard's (PCI DSS) latest version now requires 2FA or multi-factor authentication (MFA) for account-related tasks, such as certain types of payments. By adding logon requirements, providers are better able to protect their clients against fraud.

Other industries that deal with sensitive personal information are following suit. In the US, there are moves to improve the Health Insurance Portability and Accountability Act (HIPAA) to include 2FA requirements. By tightening access to sensitive patient data with secondary authentication, providers can protect patient confidentiality.

Why do 2FA Requirements Matter?

The key benefits of 2FA are the ability to tighten perimeter defenses and reduce the risk of malicious actors gaining access to corporate or government systems. By adding an additional layer of authentication, users are better able to protect themselves, and businesses can help shield their customers from fraud, identity theft, blackmail and other losses.

Mandating 2FA at the government or industry levels gives digital laggards an encouraging push to update their access control systems for the benefit of their users and customers. 

Is it Easy to Get Around 2FA?

It's hard to bypass 2FA. Without direct access to a user's secondary authentication method, like a smartphone, app or hardware token, completing the second stage of the 2FA process is nearly impossible. This makes systems protected by 2FA much harder to compromise and thus much more secure.

As you prepare to incorporate 2FA into your digital security protocols, there are several other questions you should consider, including:

1) How Can You Fulfil Your 2FA Requirements?

Like any security control, a 2FA deployment must be carefully planned to ensure it protects your assets properly. Among the biggest challenges you'll face will be enabling 2FA on legacy systems and integrating the technology with your existing environment. Without addressing these questions, your new defenses are unlikely to be as comprehensive as you might have hoped.

2) Which Accounts Need 2FA?

It may be tempting to apply 2FA only to admin-level accounts or those with permissions allowing them to make system and security configuration changes. However, this approach does not sufficiently address data access permissions. For example, your sales manager may not be able to add firewall rules, but they can access GDPR-protected personal information in the customer database.

It's worth remembering that cyber-criminals will often start by compromising a single system. Then, they'll use that compromised system as a staging point for further attacks inside a corporate network. Gaining access to a lower-level account has the potential to cause bigger problems down the road. Ideally, you want to prevent hackers from achieving any foothold inside your defenses.

3) Which 2FA' Factor' Should You Use?

Not all 2FA 'factors' are created equal, and some are inherently more secure than others. For example, SMS confirmation codes are popular because they are quick and easy to implement but are not as safe as using a hardware token or an authenticator app. 

4) Should You Customize Your 2FA Offering?

Network security is a balancing act of protecting systems from unauthorized access without significantly impairing user productivity. Given that processes are unique, it is likely that an off-the-shelf solution would need granularity to meet every need.

A good starting point is mapping out the various authentication touchpoints throughout your network and the processes they impact. This will help you understand your own 2FA requirements and how best to deploy the technology.

2FA is Becoming Unavoidable

The reality is that businesses of all sizes must improve data security provisions to better protect their operations and customers. Increasingly, legislation and industry best-practice frameworks are pushing organizations in the right direction. On top of that, customers are more aware than ever of online risks, and they're demanding that their data is protected against loss or theft.

That's why thinking about current 2FA requirements and planning for future implementation makes good strategic sense. Eventually, 2FA will become a necessary and unavoidable part of doing business.

Brought to You by

What’s Hot on Infosecurity Magazine?