Why CIOs Should Care About Two Factor Authentication

Everybody needs two factor authentication, but just exactly what is it?
Everybody needs two factor authentication, but just exactly what is it?
Image Credit: Dave Crosby

As everyone in the CIO position knows, keeping the company’s systems and applications secure is a top priority and has a lot to do with the importance of information technology. However, just exactly how to go about doing this has always been a bit of a mystery. One of the most powerful techniques that is currently being used is something called “two factor authentication”. What is this security technique and how many different flavors of it exist?

Two Factor Authentication

So just exactly is two factor authentication. This security technique can been seen in use when you use your username / password to log into a computer system or an application. Once you’ve done this, you are not yet permitted to access the thing that you are logging in to. Instead, there is one more step. Perhaps there is a secret code that you have to enter or there is a pop-up that occurs on your phone that you have to select.

What this means is that anyone trying to break into your company’s computers would require a user’s username / password and access to their phone or some other sort of second factor device. Since you are the person with the CIO job, you can quickly realize that any applications that you are currently using that don’t support two factor authentication are potentially vulnerable. These types of applications can include popular websites including Gmail, Facebook and perhaps your personal banking website that you are able to gain access to with just a username / password.

Most websites these days support some form of two factor authentication. However, this security service is generally not activated by default. What this means for the users in your IT department is that they are going to have to manually turn on two factor authentication in many of the applications that they are using in order to truly be secure. Once a user has logged into an application or website using two factor authentication, they generally won’t be required to double identify themselves again unless they happen to log out of the site.

Issues To Be Aware Of When You Are Using Two Factor Authentication

Not all two factor authentication is created the same. Currently there are three different types of two factor authentication and each of them has their own set of concerns. As the CIO, it’s going to be important that you realize what the differences between the different types are and in which situations each should be used.

One approach to implementing two factor authentication is to use text messages. After you use your user name / password to log in, a text message is sent to you with a unique code that you then type in to confirm your identity. The risk with this method is that the bad guys can either steal your phone or simply make a copy of it. The risks of this happening are fairly low, but if your application or website is a high profile or high value item, then you might want to look for other authentication techniques.

Another approach to using two factor authentication to identify who is using an application is to identify the device that you are using to access the application. If the application or website recognizes the device that you are using (you’ve used it to access the website / application before) then you are in. If not, then a message may be sent to your smartphone to get you to confirm that you are the one who is trying to access the website / application. It’s generally recommended that you make two separate devices your “trusted” devices just in case you lose one of them.

The final way to implement a two factor authentication system is to use a keychain / USB dongle system. These systems generate a new second-factor code every 60 seconds. This is one of the most secure ways to use two factor authentication. Some USB dongles come with the ability to wirelessly transmit their code to the device that you are using so that you don’t even have to be bothered typing the number in to the computer.

What All Of This Means For You

The challenge of securing both applications and websites is a task that CIOs have to deal with every day. Yes, secure usernames / passwords are the traditional way to go about doing this, but in these modern times we are discovering that they may not be enough. Instead, we need to move to the next level of security. This level is called two factor authentication.

Two factor authentication requires the user to enter a username / password and then enter an additional piece of always changing information. Often this information will be gotten from their mobile phone. The bad guys would have to get someone’s username / password and then steal or copy their phone to gain access to a company system. Many applications support two factor authentication, it just has to be turned on. There are three different ways to implement two factor authentication. The first is to have the application send a unique text message to the user’s phone that they then type in. The next is to uniquely identify the system that the user will be using to access the application, and finally there is the use of a USB dongle system.

Two factor authentication is a critical step in any company’s plan to secure their websites and applications. The good news is that it is relatively easy to implement. CIOs need to take a careful look at the systems that they will be securing and then determine if they want to implement a two factor authentication system that is easy to use or more secure.

– Dr. Jim Anderson
Blue Elephant Consulting –
Your Source For Real World IT Department Leadership Skills™

Question For You: Can you think of any IT system that would not require the additional security that is provided by a two factor authentication system?

Click here to get automatic updates when The Accidental Successful CIO Blog is updated.

P.S.: Free subscriptions to The Accidental Successful CIO Newsletter are now available. Learn what you need to know to do the job. Subscribe now: Click Here!

What We’ll Be Talking About Next Time

Almost every person with the CIO job currently has some form of antivirus software deployed within their company. The thinking behind this software is that if the bad guys attach some malicious software to a document, image, or spreadsheet that comes into the company, then before anyone can open it up the antivirus software will catch it and the file will be quarantined. However, times have changed and despite the importance of information technology, CIOs may be putting too much faith in exactly what their antivirus software can accomplish.