In your handy adventure pack, you should have an asset list (accounts, systems, technology) and a password manager, full of unique passwords for each of those assets.
In this next step, we’re going to dive a little deeper and explore other ways to secure those accounts - using two-factor authentication.
Step 3. Turn on two-factor authentication
This fortnight, in your quest for greater security, we draw your attention to using two-factor authentication for any accounts that you can’t afford to lose.
It goes without saying, all of your listed accounts have some inherent value for your business. But a handful of those accounts are mission critical.
Taking an educated guess, the most critical accounts will include email, and any accounts where money or customer data is stored. If your company brand and market presence are a key asset, then your social media accounts are also critical.
Losing access to these accounts would be terrible.
Ideally, you would go through every account you have, go to the security settings, and turn on a setting called two-factor authentication (or 2FA). This would require you to use your password and something else when you log in (like a random code from an app, or a push notification to your phone). So even if someone managed to guess your password, or trick you into giving it to them, they still can’t get in.
Realistically, you should turn on 2FA for at least your most valuable accounts. To make this decision, think about which are the accounts that could stop your small group in its tracks and perhaps even be forced to consider shutting up shop.
I will admit something embarrassing. I have fallen for a phishing attempt before!
It was not my proudest moment - especially now as a infosec pro. I was in a rush and I received an email about suspicious login activity with a very helpful link to click and reset my password.
A link to reset my password. How helpful! That is a quick and easy way to solve my issue!
Well, busy me did not notice the login screen looked a bit off and after I hit ‘enter’ I assumed all was fine.
This turned out not to be the case. The link was a phishing link and it actually captured all my log-in details and well… That was the end of my online gaming career on Runescape. But it doesn’t have to be the end of yours!
If you can’t find the setting in your account, take a look at the list on the twofactorauth project. It is a community-run list of most major services and links to their help pages for setting it up. If the service you use does not support it, you might want to think hard about the data you keep on that site. Perhaps you can reduce the data you keep there, or maybe switch to a competitor on that list that does support 2FA.
When you do configure 2FA, you are often given something called “backup codes” or you are asked to setup a recovery email or phone number. Be sure to set that recovery email or phone number to one you control, and print out the backup codes are store them somewhere safe at home. You could even store them in your password manager if that is the safest place for you. You will need these in the off-chance you lose access to your 2FA method of choice and need to resort to a backup. (I won’t even tell you how many phones I have accidentally given a bath…)
Some 2FA is better than no 2FA; however some methods are stronger than others. If you have a choice, opt for push notifications through a phone app or hardware security keys (like Yubikeys). If those are not available, using a phone app to receive codes (like Google Authenticator or Authy) are good alternatives.
Another step finished. You are starting to be quite the secure small group by now!
A unique password and two-factor authentication adds a big level of protection on your accounts. It makes it much harder for attackers who are just resorting to simple phishing or password re-use attacks - which makes up for a large amount of the attacker population.
Next we are going to get more into securing any technology or systems that you use. Catch you in part 4!