Improving Account Security with 2-Step Verification

Published

Why does an organisation need to set up 2-Step Verification / 2-Factor Authentication (2FA)?

Organisations and their employees have a legal and ethical duty to protect sensitive customer data.

It's “easier than you think” 1 for someone to steal your password - especially if that password is reused on other websites.

Exercise: if someone gained unauthorised access to an email account what would be the impact on your organisation?

Getting it wrong can be expensive. After a data breach, British Airways was fined £20m by the Information Commissioner

Exercise: In what ways would it harm your customer if their personal data was stolen?

2-Step Verification / 2-Factor Authentication (2FA) is an essential second layer of defence in the event that a password is compromised. Microsoft Security calls it “the single most effective step you can take to improve security”.2

We recommend all organisations require 2FA for web-facing accounts such as cloud email. This guide can help your organisation prepare.

How does 2-Step Verification / 2-Factor Authentication (2FA) work?

In a typical 2-Step Verification / 2-Factor Authentication system, you combine something you know, like a password, with something (only) you have, like a key.

When you login and enter your password, you'll be asked for something else, for example:

  • A hardware security key
  • A code generated by an app on your smartphone
  • A code received by text message (less secure)

Tip: when you sign in from a particular device, you can often mark it as trusted. In future, you won’t have to repeat the 2-step verification step again on that device.

2-Step Verification with a hardware security key

Photo of a hardware security key

Yubico hardware security key

After entering your password, when prompted, simply plug the security key into a USB port on your computer and touch the security button to complete verification.

NFC-enabled security keys, like the YubiKey 5 NFC, also work with compatible smartphones.

Even if your security key is lost or stolen, an attacker still needs to know your password to access your account.

2-Step Verification with an authentication app

Image of a phone displaying a 6-digit code

6-digit code generated by an app on your smartphone

After entering your password, when prompted, open the app on your smartphone and input the code it generates. Usually, these will be time-sensitive codes that expire after a short period.

This requires a compatible smartphone, and a free app such as Google Authenticator.

Don’t get locked out!

If you lose an authenticator device (e.g. phone breaks), you can get locked out of your account permanently.

When you set up 2-Step Verification, print out backup codes and keep these safe and secure. Alternatively, you could set up a second method of authentication, such as a backup phone.

Getting locked out is less of an issue for organisation accounts managed by an administrator – the administrator can reset your account for you.

Preparing for 2-Factor Authentication (2FA) in your organisation

Before you deploy 2-Step Verification or 2-Factor Authentication, here are some questions to consider:

Can you roll out incrementally to reduce disruption? Are there key accounts that should be prioritised? How much support and training do staff need?

Where do your staff do their work? Solely on-premises, or remotely? Solely on desktops, or do they also use smartphones and tablets? It may be helpful to ask everyone to complete a form asking them to list every device that they use to log in.

Do your staff all have access to smartphones that support an authenticator app e.g. Google Authenticator for Android and iOS?

Is there a budget for hardware security keys? These work over USB: does your IT security policy allow USB devices? Do these keys also need to support NFC to work with mobile devices?

It's fine to have a mix of hardware security keys and app-based authentication, e.g. security key in the office, and an authenticator app at home or as a backup. How many devices need to be set up? What verification method(s) will each use?

Does anyone share an account? If so, 2-Step Verification enrolment must be coordinated.

Set up 2-Step Verification for your Google Account

Visit Google 2-Step Verification or go to myaccount.google.com, click "Security" and then "2-Step Verification".

How to set up 2-Factor Authentication (2FA) for Gmail on multiple devices?

Unfortunately, with services such as Google Gmail it can be a bit tricky when multiple devices want to access the same account (e.g. a shared account or a backup phone).

To set up 2-Factor Authentication (2FA) for a Google account on multiple devices, including devices you want to activate in the future:

  1. Instead of scanning the barcode during setup, click "can't scan barcode".
  2. Record the code displayed on screen and keep it somewhere secret, secure, and where you can find it again in future.
  3. Find this saved code and enter it in the authenticator app manually when you first set up 2-Factor Authentication on each device.

Did you find this article useful?

If you found this article useful, let us know! Join the conversation on Twitter with @tawesoft