Two Factor Authentication – What it is and How to implement it
One of the biggest pains of using the internet today is constantly being forced to create new accounts to use basic services on the internet. While many tech savvy users know to use password managers to allow them to create unique strong passwords for each website, the average internet user is much less sophisticated. Even after being told over and over to use strong passwords and create unique ones for each website, most users simply reuse easy to remember code or write them on notes in easy to access locations. Believe it or not, in 2013 the three most common passwords included:~ 123456, password, and 12345678.
A Solution to the Problem
As a way to combat password breaches, many leading companies such as Google, Twitter, Yahoo and Microsoft have begun to offer two factor authentication (TFA) solutions. While the implementation method may vary, two factor authentication works by requiring a password along with a supplemental form of identification to verify the user. Typically this
The most common implementations of two factor authentication are by sending a unique login code via text message (SMS) or via a mobile application. Once a user enters their password, they typically are prompted for the secure code before they are directed to the website. If the user is unable to provide the code – then they are prompted for a backup code or they will simply be blocked from entering the website.
One of the most common mobile applications for TFA is Google Authenticator however another alternative was created by RedHat and is called FreeOTP.
Why Two Factor Authentication Is Beneficial
In an era where passwords can be cracked with ease, two factor authentication is one of the simplest and most cost effective ways to protect user accounts from data breaches. While other technologies such as biometrics exist, privacy concerns and technical limitations have made them impractical for most websites. Since two factor authentication integrates directly with a mobile phone or key fob, end users don’t need to carry an additional device or purchase expensive hardware. The learning curve is also fairly low on this technology due to it being adopted to many industry leaders.
While users benefit from knowing their accounts are hardened from outside attacks, on the corporate end, companies benefit from increased user confidence along with being able to significantly reduce the risk and cost of fraudulent account access.
Simple CMS Integrations
As a web hosting professional it is crucial to ensure that your client websites are as secure as possible since any type of data breach not only looks bad, but can also ruin your reputation with clients. Fortunately when it comes to hardening Wordpress, Joomla, Drupal or even a custom built CMS – two factor authentication can be added with a simple plugin.
For Wordpress, one of the leading best two-factor plugins available is titled Google Authenticator. As the name implies, this solution allows you to integrate Google Authenticator two factor authentication into your site with ease, ensuring that your users have a solid alternative to passwords without you needing to break the bank on software licenses. The one pitfall of the plugin is that it does not include any fallbacks to the two-factor authentication other than disabling the plugin via FTP. This means that if a client is locked out of their site, you might be called to walk them through the process of temporary disabling the plugin and then enabling it.
For Joomla users, Two Factor Authentication is a free and open source plugin which allows website owners to integrate Google Authenticator authentication into their sites with minimal effort. One of the most important features provided by this plugin is backup codes which can be used if a user doesn’t have their phone on them. The plugin also provides verification with a barcode or an account name and secret key. These options are all vital fallback options for any website since the last thing you need as a web hosting professional is having clients complain clients are locked out of their websites.
If you have clients running a Drupal site, Google Authenticator login is one of the most cost effective ways to add two factor authentication to your site with ease. As with Google Authenticator for Wordpress, the biggest downside to this option is that if a client doesn’t have their phone on them, they will be locked out of their site until the plugin is disabled. If you want to prevent issues like that, you can use a paid commercial security solution such as Authy (discussed in more detail under the ‘Custom code and more’ section) which offers multiple fallback options to ensure users are able to access their accounts multiple ways.
How to Integrate This into Your Servers Core
While securing CMS systems is a vital part of any server admins’ job, the previously mentioned CMS plugins don’t provide low level protection against hackers who target the core of your servers. Fortunately there is a simple solution available to add two factor authentication to your Apache based systems. You can install the Google Authenticator Apache module on your server to add two factor authentication to your Apache user login system. As the name implies, this solution uses Google Authenticator to provide users with secure codes at no additional cost to you.
Strong Passwords Still Matter
Although two factor authentication is simple to implement on yours and client websites, there still is no substitute for requiring employees to use secure passwords on all their websites. Fortunately, using a password manager such as Zoho Vault will allow your staff to generate unique and strong passwords for every website they use. Rather than needing to memorize every password, the codes are stored in an encrypted vault which only can be accessed by a master password. To provide an additional layer of security, most password managers such as Zoho Vault also support two factor authentication to protect against outside attackers.
Despite the many security advantages of two factor authentication, it still remains a feature found only on a handful of leading websites due to various matters. Regardless, two factor authentication is something that should be integrated into your websites – new and old - when possible because passwords are obsolete. Although there is a slight learning curve for less tech savvy users, these systems can be used as a way to boost the trust of customers by showing you take security more seriously than the competition.