80% of all hacks come from credential theft. The danger of compromised account credentials has been a growing cybersecurity issue as more companies have moved their data to the cloud. More sophisticated AI-based network security has also been a driver for cybercriminals to focus on password theft. It’s more difficult to bypass firewalls with advanced threat protection, but if you have a user password, you can virtually walk right into an account. Texas businesses are often juggling competing issues. For example, they need more cloud services to ensure business continuity for things like phone systems and accounting tools. But the more cloud accounts employees use, the less secure they tend to make their passwords. People can only remember so many strong, unique passwords at a time, which causes them to adopt bad login habits, such as:
Reusing the same password for multiple accounts
Using weak passwords
Storing passwords insecurely (such as a plain text spreadsheet)77% of all cloud account breaches are due to compromised passwords. One of the best ways to counter credential theft and improve password security is through the use of TOTP (Time Based One Time Password) Two-Factor Authentication.
How Does TOTP Two-Factor Authentication (2FA) Work?
With TOTP 2FA, users have to go through an additional step for user authentication. This significantly reduces the chance that a hacker with a stolen password can gain access to an account.
Let’s break down each part of this protocol to explain further how it works. We’ll start with 2FA.
Two-Factor Authentication (2FA) Two-factor authentication refers to adding a second factor by which to authenticate a user. There are typically three factors of online identification:
Something you know: A username and password combination
Something you have: A device in your possession that a code can be sent to
Something you are: Biometrics, like fingerprint or retinal scan All account logins typically start with one factor of authentication, the username/password that you know. The problem with just using one factor is that a hacker can easily either guess “what you know” or buy a list of breached passwords online, or hack the login using cracking software. When the second factor is added, which is usually the “what you have” factor, it’s much more difficult for a hacker to breach an account because they don’t have the device that’s in your possession. Login with 2FA typically works by sending a passcode to an authorized device when a user tries to login. The user must then enter the passcode to complete login and gain access.
Time Based One Time Password (TOTP)
TOTP refers to a time-sensitive, one-time passcode that is sent to a user at login. This is the second factor of authentication used widely in 2FA.
The code will typically need to be entered within 5 to 10 minutes of receiving it, which increases security. The passcode will also be unique every time you receive it (i.e “one time”). This also increases security and eliminates the risk that someone would get a hold of the passcode and try to use it for a subsequent login. The code would no longer be recognized as valid.
Why is TOTP 2FA So Important? In short, TOTP 2FA is incredibly effective at blocking compromised account login attempts. Which makes it a safeguard that every person and business should be using on every account they have. Two studies were released, one by Microsoft and the other by Google, and both found this method of credential security to be a significant safeguard. According to Microsoft, using 2FA is 99.9% effective at preventing fraudulent sign-in attempts. Google’s report was a little more in depth and looked at effectiveness versus different attack types and ways that the TOTP was received. It found the effectiveness of 2FA in blocking account takeover attempts to be:
100% effective against automated bots
99% effective against bulk phishing attacks when an on-device prompt was used
96% effective against bulk phishing attacks when an SMS code was used Companies sometimes fail to implement 2FA because they think it will slow users down and be cumbersome to use. But it only takes a few seconds, and the return you get in cloud account security is well worth it. Companies with multiple logins can also implement SSO (single sign-on) tools that allow employees to go through 2FA authentication just once for all their apps. Reasons that your company should be using TOTP 2FA:
It’s inexpensive to implement (most apps/accounts have it available at no charge)
It’s very effective at stopping account takeovers
It’s easy for employees to use
It solves the “bad password habits” problem
It protects against compromised credentials due to a large vendor data breach