Lack of multi-factor authentication leaves online services vulnerable to security threats. A look at three recent examples show organizations are adopting two-factor authentication to secure user accounts and data.

  • Sony added two-factor authentication (2FA) to its PlayStation Network accounts after several attacks over the last few years. PSN users can now set up the new security feature through their PS4 or through their web PSN account.
  • Instagram users have previously been hacked. With 400 million users using the service for both personal and commercial purposes, there is a lot at stake. Because of this, Instagram has added two-factor authentication (2FA) to its service. This extra security lets users authenticate account access by phone, making it difficult for hackers to gain access armed with only an email and a corresponding password.
  • On Halloween 2015, PageFair—a company specializing in providing non-intrusive ads to a number of websites—suffered a devastating security breach. Disguised as an email from its CEO to PageFair’s staff, hackers ran a sophisticated spear-phishing attack. It included a phony YouTube page link, which the blog post stated “actually linked to a faked Google authentication screen customized for the target user with a pre-filled email and avatar.”

How Does Two-factor Authentication Work?

Traditional methods of logging into an account or website require only a user name and password. Such single-factor authentication is what left PageFair exposed.

Two-factor authentication requires you to provide a second form of validation in order to gain access. This additional validation comes in three forms:

  • Something only the user knows, such as a pin or security question
  • Something only the user has, such as an identification card, access to a specific device, or access to a preset email address
  • Something only the user can provide, such as by way of a thumbprint scanner or voice authentication

What Does Two-factor Authentication Secure?

Two-factor authentication can secure a variety of online checkpoints, including administrative access to entire websites and applications, remote access to companywide web applications, and even access to subsets of web applications and sites.

There are three ways that two-factor authentication can increase security:

  • Two-factor authentication assists in reducing vulnerability after a breach. Even if one account has been compromised, all others remain protected due to the required second form of verification.
  • Some 2FA types preemptively warn you about suspicious activity, such as an attacker attempting to break into an account.
  • Your data overall is less likely to be compromised. While traditional credentials can be misplaced, stolen, forgotten, or hacked, 2FA relies on something only an authorized user can present.

Can 2FA Decrease Productivity?

But adding extra levels of verification can present an issue.

Two-factor authentication can be harder to integrate in some digital infrastructures. Because of this, many website admins view it as inconvenient, regardless of its benefits.

Implementing 2FA can disrupt a site’s existing user and password database, and can also hinder ongoing productivity. As this c|net article points out, “[Two-factor authentication] does make the user experience more complicated.”

Why? Because some forms require 2FA every time an account is accessed.

The key to maintaining productivity—while maximizing security—is to create specific rules that implement 2FA only where and when it’s needed. Using it as a blanket approach to user validation can become cumbersome and degrade the user experience.

Choosing a Two-factor Authentication Service

Two-factor authentication varies between providers and their offered solutions. Check that the 2FA service you select offers centralized control before you commit.

Many services require separate integration with each application within a company’s assets. This slows down implementation and makes account management far more labor-intensive over time.

With Imperva Incapsula, a single click sets up two-factor authentication, a.k.a., Login Protect, without having to install plugins, make code changes or integrate third-party authentication products. It covers centralized control over multiple logins, across several websites. In addition, Incapsula Login Protect offers fine-grain control to apply 2FA to any portion of your web application or site. Meanwhile, there is no disruption to your site’s existing protection and user credential database.

Once you’ve activated Incapsula on your website, here’s how easy it is to activate Login Protect:

  1. Log in to the Incapsula management console.
  2. Navigate to the Login Protect settings screen.login-protect-13. Enter the URL or folders you would like to protect, using either an exact match or one of the wildcard options.login-protect-24. Choose your preferred authentication method: e-mail or Google Authenticator.login-protect-35. Add the name and email address of users who will have access to the URL.

login-protect-4

Note: The number of users and authentication methods vary, depending on your service plan.

Authorized users will receive an email with a verification link. Once clicked, a page is displayed, asking to provide an email address and phone number for authentication and a QR code for Google Authenticator.

From then on, anyone wanting to access the protected page will first receive an Incapsula 2FA page, asking them to input their one-time token.

To summarize, two-factor authentication can be an important encryption solution for protecting your own company and its customers. If you have questions about 2FA, security or performance, please leave us a comment.


Would you like to write for our blog? We welcome stories from our readers, customers and partners. Please send us your ideas: blog@incapsula.com