Passwords alone do not provide adequate protection from cyber criminals. We look at how two-factor authentication can bolster your charity’s security
That’s because 2FA makes it harder for a cyber criminal to hack any accounts charity staff log into using a computer or mobile device. These could be bank accounts, accounts used to access cloud-based services for things like document storage and sharing, constituent relationship management (CRM) or email accounts, or accounts that staff members use to access their office computer systems.
The dangers of a cyber criminal accessing these accounts is obvious: they could steal money from a bank account, access confidential documents and client records, and take away large amounts of sensitive data.
Yet for many charities these accounts are still protected by nothing more than a password. Many people still use passwords that are easy to guess. And even if they use a long and secure password, they may fall victim to a phishing or a social engineering attack and unwittingly reveal their password to a cyber criminal.
What’s more, there is a danger that people use the same password for different accounts. That means that if a cyber criminal manages to get hold of just one password, they can use it to access various accounts.
In security parlance, a password is a single-factor authentication and it is considered to be "something you know". 2FA means that a second authentication factor must be supplied for a user to log on.
The most common types of 2FA fall into two categories: "something you have" or "something you are". Even if a hacker gets hold of "something you know" – the password – they still cannot access the account unless they also have the second authentication factor as well.
When security experts talk about "something you have", they mean an object you have in your possession when you try to log in. This is likely to be:
"Something you are" usually refers to some type of biometric like a fingerprint, a face or an iris scan, or a voice sample. In the past a biometric 2FA was unusual because of the cost of biometric systems, but today most mobile phones are equipped with the sensors and computing power needed to read these types of biometrics.
Like most things related to security, there is a balance to be struck between the security provided and the cost and convenience of a particular authentication factor.
The simplest and easiest 2FA to use is probably SMS-based authentication, but the drawback is that it is possible for a cyber criminal to intercept an SMS. The cyber criminal could acquire a cloned version of an intended victim’s SIM card, for example.
An authenticator app is considered more secure because the OTP is generated on the phone, making it impossible to intercept. The drawback here is that the it requires the user to download and install the authenticator app and constantly keep it updated.
Hardware devices may provide an even higher level of security, but as mentioned they are expensive and are more likely to be misplaced than a mobile device. However, hardware devices have the added advantage of not requiring the user to have a mobile phone.
Biometrics are generally considered very secure – the fact that many banks in the UK allow people to log in to their accounts using face scans or fingerprint readings is testament to this.
Biometrics have the added benefit that even if a cyber criminal gets access to a potential victim’s password and their mobile phone, they still will not be able to log in unless they are with the victim and able to coerce them into providing a biometric.
Most cloud service providers and many app-based services offer the option of using 2FA. Activating it is usually a matter of ticking an option and then providing details such as a mobile phone number, scanning a QR code to enrol an authenticator app, providing an address to send a hardware device, or enrolling a biometric such as a face scan.
Setting up 2FA to log in to internal accounts is a more complicated matter which needs to be carried out by a charity’s IT department or IT service provider.