In today’s ever-connected, digital environment, there is increased risk of company data breaches and sensitive customer information falling into the hands of talented hackers. With recent large-scale corporate exposures of personal data, such as Target or Equifax, it’s more and more common that Americans have personally experienced some sort of data breach.
A study by the Pew Research Center found that 64% of Americans have experienced data theft, ranging from email and social media account takeovers to fraudulent tax returns and credit card charges.
So, it should come as no surprise that about half of Americans don’t trust key institutions – like the government and social media sites – to protect their data. According to the 2016 survey, 51% of tech users didn’t trust the social media sites they use.
In today’s climate of Cambridge Analytica wrongfully obtaining Facebook user data, that number hasn’t improved much. A Reuters survey from March 21 to 23 found that 51% of people don’t trust Facebook to obey the laws to protect their personal information. This is compared to 62% who do trust Google to protect their data and 66% who trust Amazon.
While the Facebook scandal was not the result of hacked accounts, but rather an outside app that users gave their information to willingly and then the app sold their data, and friends’ data, to a third party (Cambridge Analytica), many Americans have found Facebook ultimately responsible. The company has also suffered financially, its stock falling 18% and wiping out $100 billion in market value.
With all the distrust by Americans of the institutions that they spend time on and that hold valuable personal information, it is surprising that so many individuals continue to rely on just passwords – and sometimes the same password – to protect their accounts.
A 2017 Data Breach Investigations Report by Verizon of 65 organizations found that 81% of hacking-related data breaches were due to stolen and/or weak passwords.
The increase in cybercrimes and data breaches throughout the country, and spanning internationally, has many companies looking to add additional levels of security to its customer accounts.
Two-factor authentication (2FA), also known as multi-factor authentication, makes it harder for criminals to steal user information or access accounts with just a username and password obtained through hacking or other illegal methods.
2FA usually consists of something you know and something you have. In most cases, a customer’s username and password is the something they know. Unfortunately, hackers can also find this out.
That’s where the something you have comes into play. The most common form of 2FA is through a mobile phone. Users have this on them and companies can send a security code to the device via SMS text message.
Many institutions, like banks, have begun using this form of two-factor authentication, especially when logging into their site for the first time on a new device. This can also take the shape of a phone call during which the code is given to a user verbally.
Another kind of 2FA that involves a what-you-have approach is a hardware token. This is more of an outdated form of 2FA and was popular with organizations who wanted to protect employee laptops. The device would sometimes have to even be plugged into the USB port. The token would display a code to enter as the second form of authentication. This method can be costly for organizations because it requires the purchase and distribution of a physical device.
Many companies have moved to a software token instead. This requires customers or employees to download an app that gives them a time-based one-time password (TOTP) that is valid for less than a minute. A popular app like this is Google Authenticator, which may be used for Gmail as well as third parties. This method works offline and has less of a chance of hacker interception.
As more and more companies have their own branded apps, push notification authentication is becoming more and more popular. This requires a smartphone and an internet connection, but it allows the company to alert the user instantly that someone is accessing their account. The user can either accept or deny access. Apple uses this method when someone is trying to log into an Apple ID on a device that isn’t recognized. The push notification goes to a device that is already trusted. This method takes out the common step that other 2FA methods have of entering a code.
Some companies have taken two-factor authentication to another level entirely by focusing on who you are versus what you have or what you know. This is also known as biometric authentication. While this is commonly seen in spy movies, the most well-known, real-life version of this is using your fingerprint to access a smartphone, or Apple’s iPhone X facial recognition to unlock the phone. In those cases, it is single-factor access, but companies could add this level of security in addition to something a user knows or something a user has to make it 2FA secure.
A basic username and password is increasingly becoming obsolete as hackers find more advanced ways to obtain user data – most often financial in nature. In fact, the Verizon report found that 73% of data breaches are financially motivated and 24% of data breaches involve financial institutions.
Cybercriminals are looking for user data that can lead them to bank accounts or credit card information. This is why credit card companies and banks have been the earliest adopters of 2FA along with email providers, which are often used for bank communications.
Guarding money and valuable account information with 2FA is the easiest way to help prevent cyber-attacks. If username and password credentials are lost by the user, or a company has a data breach internally or by hackers, having 2FA limits the amount of damage that can be done. If the data is in the hands of the wrong people, these hackers likely won’t have the second factor, like the user’s smartphone.