When it comes to your organization’s online security, you can’t be too careful. The volume and sophistication of cyber security threats are increasing at a rapid rate, with three in four US companies at risk of a material cyberattack (incidents that have a significant impact on a company's financial position). As a result, many companies are casting a critical eye over their current info security practices.
After all, a significant amount of personal, financial, and confidential information is held in your business’s online accounts, and data breaches frequently result in revenue losses. For most organizations, there’s one simple step that can help improve your employees’ cyber security discipline across the board: Two-factor authentication, or 2FA.
Two-factor authentication explained
Authentication is the process of verifying the identity of a user in order to establish access to a computer system or online account. There are three main “factors” for authentication:
- A knowledge factor (something you know, e.g., a password or a PIN).
- A possession factor (something you have, e.g., a mobile device or an ID card).
- An inherence factor (something you are, e.g., a fingerprint or your voice).
There are also “location factors” and “time factors”, but these are much less common. Two-factor authentication, or 2FA, simply means that your security system uses two of these factors.
In other words, two-factor authentication is a second layer of security on top of your password or PIN number. If—after logging in with your password—you’ve ever been asked to enter a numerical code sent to you on your mobile device to prove your identity, you’re already familiar with 2FA.
However, getting a code by text isn’t the only two-factor authentication method. There is a broad range of options, including authenticator apps, push notifications, software tokens, voice-based authentication, and so on. In most cases, however, the extra layer of security is likely to be an SMS text message code.
What is an authenticator app?
While you’re likely to be familiar with most types of two-factor authentication, such as text messages, voice-based messages, and push notifications, you may be a little less familiar with authenticator apps. In fact, they’re relatively simple.
So, what is an authenticator app? Essentially, it’s an app on your mobile phone that generates digital verification codes which can be used to verify your identity when logging into a website or app. There are many different authenticator apps to choose from, including Google Authenticator App and Duo Mobile—all of which follow roughly the same procedure.
Authenticator apps are generally considered to be a slightly more secure form of 2FA than receiving an SMS text message passcode. That’s because, technically speaking, SMS messages aren’t something you have, but something you’re sent.
As such, there’s a small chance that hackers could trick your carrier into porting your mobile phone number into a different device (a type of fraud referred to as a “SIM swap”). Assuming they already have your password, this would enable an attacker to gain access to your account. By contrast, the verification codes for authenticator apps expire very quickly (usually after 20 or 30 seconds) and the code stays entirely within the app.
How does two-factor authentication work?
Once you’ve set up two-factor authentication on your system—whether you’re using an authenticator app, push notifications, or SMS messages—it’s relatively simple to use. Here’s a step-by-step guide to the 2FA process itself:
- The user is prompted to log in by the website or app.
- The user enters their username and password, fulfilling the first security factor.
- After the site recognizes the user, they’ll be prompted to initiate the second step of the login process. At this stage, the user needs to prove that they have something, like an ID card or a smartphone, fulfilling the second security factor, i.e., “possession”. In most cases, users will be sent a one-time security passcode that they can use to confirm their identity.
- Finally, the user enters the security key and after the site has authenticated it, they’re granted access.
Why use two-factor authentication?
The importance of securing your business’s files and content can’t be overestimated. Global cybercrime damages are estimated to reach around $15.63 trillion annually by 2029. The costs associated with cybercrime include the destruction/misuse of data, stolen money, post-attack disruption, the theft of intellectual property, and lost productivity.
You also need to think about the potential expenses associated with restoring hacked data, forensic investigation, and reputational damage.
As threats become increasingly sophisticated and the rest of the world implements two-factor authentication as standard, businesses that don’t use 2FA risk leaving themselves vulnerable to predatory hackers. It’s like not wearing a seatbelt because the car has airbags. Technically, you’re protected, but nowhere near as protected as you could be.
Why you shouldn’t rely on “strong” passwords
When it comes to online security, the most common authentication factor, by far, is the username/password combo. This means that most systems only use single-factor authentication. Although passwords have been the go-to info security standard for decades, there are several reasons why it may finally be time to move beyond passwords altogether:
1. Humans tend to have poor memories
Unfortunately, this is a given. Plus in many cases, the passwords we choose are comically easy to guess: “password”, “12345”, “qwerty”, and so on.
2. People have more online accounts than they did when passwords were first introduced
This means there’s often simply too many passwords to remember. This can lead to “password recycling”—when the same password is used for multiple accounts, making it easier for hackers to gain access.
3. Some websites use security questions
For example, “What’s your mother’s maiden name?” as a kind of second factor. However, with such an abundance of personal information available online, hackers are often able to guess the answers to these relatively basic questions.
It’s important to note that security questions are simply a second knowledge factor, and this practice isn’t “real” 2FA. You’re essentially backing up a password with another password. In this sense, it’s much closer to two-step verification (2SV), a form of authentication that doesn’t require different factors, just multiple steps.
Bottom line: Passwords are the lowest form of security, which is why two-factor authentication is increasingly becoming the basic security standard for enterprises.
Beyond two-factor authentication
The benefits associated with two-factor authentication are significant. But 2FA isn’t the final destination for info security. Far from it.
After all, two-factor authentication isn’t foolproof. If an attacker wanted to gain access to your computer systems, a physical search of your premises could lead them to find an employee ID or discarded storage device containing passwords.
Furthermore, hackers can intercept text messages through phishing emails, potentially enabling them to bypass the second authentication factor. Ultimately, 2FA is only as strong as the weakest element of the security process.
Alternatives to two-factor authentication
So, what else is out there? Well, 2FA is simply a subset of a much larger concept: multi-factor authentication (MFA).
Theoretically, you could have three-factor authentication, four-factor authentication, five-factor authentication, and so on ad infinitum. While ordinary users aren’t likely to ever use anything beyond two-factor authentication, people who work in high-security environments may be required to use something like three-factor authentication (3FA), which typically involves the use of an inherence factor, such as a fingerprint or iris scan.
How to get 2FA with Dropbox
It’s clear that enabling two-factor authentication can have serious benefits for your business, but the process of unrolling 2FA across your entire company can be a little daunting. Fortunately, it doesn’t have to be too much of a challenge.
Dropbox offers two-factor authentication. If you enable 2FA, Dropbox will require you and your team to provide a second form of authentication (e.g., a six-digit passcode or security key) whenever you log in to your account or link a new tablet, computer, or phone.
In addition, Dropbox offers a number of password protection features that can help you secure and control your business’s sensitive information, while you can also set expiration dates for shared links and password protect your PDFs and folders.
There are other cyber security measures that you can implement with Dropbox to help secure your files even more effectively. Cloud data protection is our top priority, and cloud security is an ideal complement to two-factor authentication. With multiple layers of protection across a distributed cloud infrastructure, you can ensure that all your online files are afforded the same level of protection. Plus, enterprise-grade encrypted cloud storage can be used to comply with most global regulatory standards.
Keep your data safe and benefit from 2FA with Dropbox
Relying on a single password as only protection on your files and data leaves you vulnerable to preventable threats. With 2FA, you make it far harder for bad actors to access your content.
Whether you’re already a Dropbox user looking for a little extra peace of mind, or you need a cloud storage solution with multiple layers of protection—Dropbox has you covered.
Sign up for an account to start benefiting from two-factor authentication today.
