Two Factor Authentication ????

With IT Security becoming more and more prevalent with our staff outside of the usual office environment and company data being accessed from home, we need to re focus and make sure that we're as best protected as we can be. We have seen that in some cases threats are becoming simpler such as blanket targeted emails to gain knowledge and data because the human in us sometimes just isn't on guard as we once were in the office. So the question were hearing more and more is How do i prevent the simpler attack ?

The short answer can be Two Factor Authentication. We all use some form of 2FA in our day to day lives, whether this be online banking through to passcodes or some form of bio metric access on our mobile phones, but how do we use this in the simplest form for our business data ? Whilst we appreciate it is very difficult to portray the use of 2FA and the potential “headaches” it may cause, follow up questions tend to be around

• Why do I have do this now ?
• How often will I have to do this?
• When will I have to do this?
• If this is on my mobile, what does it do and what else does it then have access too?

The main reason behind this now is due to hacking becoming much simpler due to human error, there are far too many spam / phishing emails being sent out stating passwords need re-entering, or requesting to log into Office 365 as a document has been shared with you etc, along with credential harvesting requests for access to websites such as Amazon, PayPal, eBay and various other online services. in which the user opens the link and enters their username and password. These are not the genuine sites and are essentially harvesting users credentials to either use themselves or sell on. 2FA prevents the access from happening.

So what happens if they have my password? 

We have seen, and its common practice that as soon as these details are available, your account is logged into by these "hackers" and one of two things happens.

• They will look to access any documents they can and restrict full company access, offering to release this for a sum of money,
• Secondly they start to utilise your email account to send out further emails to your customers who owe money for goods or services which you have provided, to say the bank account to pay the invoice to has changed and for them o please pay the outstanding invoice into a new account. This money then ends up in the criminal’s account and not yours. By having access to your mailbox they often sets up email rules to divert any emails returned to go to different folders (other than your Inbox) – you may never see the replies from the customers targeted and therefore not be aware any of this happening.

By implementing 2FA Software. This dramatically increases security in the aspect that it implements something you know, and something you have been given security

2FA is presented as a confirmation token when access to Office 365 Cloud services outside of the business environment is requested. You are not required to confirm every time you logon to your workstation, nor every time you open Outlook for Email or Word etc. However when access to the web based Office 365 Portal is required ( which in some cases could be very rare) you will be asked to confirm access. If for any reason staff accidentally fall fowl of one of the Phishing Attacks, then the hacker would not be able to do anything with your passwords. Should they try to log in for malicious purposes, including the two above, then they will NOT be able to get in to your systems as they won’t have the confirmation message to approve. if it requests without the user accessing anything. They just click deny.  What this method will also do is alert the user that someone is trying to access their account and encourage password changes and at the very least raise awareness.

The simplest method for introducing 2FA is via the Free Microsoft Authenticator App installed on a smartphone. This app is linked to your work Email account via a QR Code being scanned at setup. It has no links to any other app on the phone, no access to any other settings and does not give anyone access to your phone data, apps or location.  It purely is for approval when requested.  All that happens when requested from a login session is an icon is presented on the phone to either approve or deny access. Once this selected, the app is done with its requirement and access is confirmed, literally a 2 second task.

As covered earlier, the simplest of threats can be prevented using the simplest methods. IT Security is not always big money, but it could save you big bills.