May 2019: 2FA—Control in the Palm of Your Hand

Authors:: Sandy Silk
Published:: Monday, December 17, 2018
Columns:: Cybersecurity and Privacy

min read

Two-factor authentication is one of the easiest and most available approaches to protecting online accounts. This post is one of twelve blogs that feature ready-made content designed to enhance security awareness.

photo of hand holding a counter — *Credit: Economica20 / Shutterstock © 2018*

Campus Security Awareness Campaign 2019

This post is part of a larger campaign designed to support security professionals and IT communicators as they develop or enhance their security awareness plans. The campaign is brought to you by the Awareness and Training Working Group of the EDUCAUSE Higher Education Information Security Council (HEISC). View the other monthly blog posts with ready-made content at the security awareness resource page.

Weak and reused passwords continue to be a common entry point for account or identity takeover and network intrusions. Some simple steps and tools can help your end users employ unique, strong passwords for their dozens of accounts. Help your community improve their individual and collective security by sharing these tips.

Get the Word Out

Newsletter or Website Content

Wouldn't it be nice if your accounts could let you know when someone new is trying to get into them? Even better, wouldn't it be terrific to make a stolen password useless to others? Were you tricked into revealing your password through a phishing scam?Rest easy, your account is safe! That's essentially the control that two-factor authentication (2FA)—also known as two-step verification or login approval—gives to you. And, it only takes about two minutes to set up and two seconds to use. That's a lot of power for very little effort!

How does it work? Once you've activated two-factor authentication on an account, whenever an account login with your password comes from a different device from what you've already permitted, an authorization check will come to your smartphone or other registered device. Without your approval or current code, a password thief can't get into your account.
Is it difficult to set up? 2FA is becoming more widely available and easier to use. Typically, you'll either install a mobile security app on your smartphone and use that to handle the authorization checks for accounts, or you could use the text/phone call method if you can't install a mobile app. For international travelers, the mobile app also generates a code so that a data or cellular service connection isn't required for this second step.
Can I adjust frequency of the checks? In many cases, yes, although some accounts may require the verification for specific transactions or functions. You may want to have the extra verification every time you log in (e.g., personal website administration), or you might be comfortable requesting the verification only when an access attempt comes from a computer/device other than the one you originally permitted when you set up 2FA—such as personal email account you typically only check from one laptop and one smartphone.
Which accounts should I protect with 2FA? Why wouldn't you protect all of them where it's available? But, start with those that are most critical to your identity and livelihood. Here are some suggestions:
- Email accounts: "Forgot password” reset requests typically send instructions and links here, so protect this account to make sure you keep control of resetting your account passwords!
- Financial accounts: Protect your money!
- Social media accounts and website management accounts: Protect your brand!
- Online shopping accounts: Protect usage of your stored credit card information!

Social Posts

Step up your #password protection with two-factor authentication! #2FA
Control freaks of the world unite! #2FA
Are you protecting your social media accounts with two-factor authentication? #2FA
#LayerUp your password with two-factor authentication.

Email Signature

Ask staff to add a tip to their email signature block and link to your institution's information security page.

Example:

Jane or John Doe
Chief Information Security Officer
XYZ College or University

Step up your password protection with two-factor authentication! Learn more. [Link "Learn more" to your institution's information security page.]

Embed or Share Videos

What is Two-Factor Authentication? (2FA) (1:59 min)

The Factors (Crapshots Ep. 422) (0:46 min)

Resources

Share these resources with end users or use them to inform your awareness strategy.

Check Two Factor Auth (2FA) to see a list of the services that offer two-step verification.
Learn more about two-factor authentication from Lock Down Your Login [https://www.lockdownyourlogin.org/].
Looking for more videos or a quiz? See what's available at Password Day.
Back to basics: Multi-factor authentication (MFA) (NIST, Trusted Identities Group)

Use This Image to Support Your Message

image detailing basic login steps — *From Back to basics: Multi-factor authentication (MFA)*

Sandy Silk is Director of IT Security Education and Consulting at Harvard University.

ParentTopics:: Identity and Access Management