John Podesta, Hillary Clinton’s campaign chair, probably thought he’d never fall for a phishing hack. But anyone, even Podesta, can make a careless mistake. His was clicking a link that redirected him to a fake Google login page where he entered his Google credentials. Just like that, Russian hackers had access to his Gmail account.
But the Podesta story didn’t have to end this way. If he had set up two-factor authentication (abbreviated 2FA and sometimes called two-step verification) on his Google account, the hackers never would have gained access.
Here are five reasons why your association should use two-factor authentication.
1. Two-factor authentication is simpler than you think.
Withdrawing cash at an ATM is an “offline” example of two-factor authentication: you need your PIN to log in (something only you know) as well as your debit or credit card (something only you have). One without the other won’t work.
You may have experienced 2FA if you tried to log in to your banking or credit card website using a mobile device instead of your usual desktop or laptop. You have to prove your identity by entering your password (something only you know) and a code sent to your mobile phone (something only you have).
Here’s how two-factor authentication works behind the scenes:
- You log in with your password.
- The server verifies your password and checks in with a third-party identification management server.
- This server generates a random code and sends it to your phone as a text message or via an app like Google Authenticator.
- You enter the code. If it matches, you’re in.
Two-factor authentication is a simple, inexpensive security measure to implement—because everyone has a mobile phone.
If Podesta had 2FA set up on his Google account, he wouldn’t haven’t been hacked. Instead, after using his email address and password in an attempt to log in, the hacker would have been presented with a page saying something about a code being sent to their phone. Meanwhile, Podesta would have known something phishy was going on when a code from Google showed up on his phone.
2. Two-factor authentication mitigates the password problem.
Regularly changing passwords is a sound IT security practice. However, when people have to change passwords frequently, they sometimes rely on insecure storage methods, like writing passwords down on sticky notes. Or they resort to using weak passwords that are easy to remember—and therefore easy to guess by hackers using password-guessing software.
Eliminate the password problem by requiring staff to use a password management tool like LastPass or Dashlane. These tools generate complex passwords and store them in the cloud so staff can look them up quickly on their laptop or mobile devices. But, make sure everyone has two-factor authentication enabled on their password management tool!
Some hackers don’t bother guessing passwords, instead they try to get passwords reset. They often find the answers to security questions, like your high school mascot or your dog’s name, on Facebook accounts with lax privacy settings. With 2FA, even if someone steals, guesses, or tries to reset a password, they won’t succeed unless they have your phone as well.
3. Two-factor authentication protects sensitive data
Podesta was just the middle step on the way to the real prize. Hackers targeted him because he had sensitive information about a specific client—Hillary Clinton. So, too, your association may have sensitive information about your members and customers—and it’s your association’s duty to safeguard that information.
Imagine this. A member calls to renew her membership. The program assistant writes down her credit card number and emails it to accounts receivable. How secure is that number in the email to accounts receivable? Or if the member renews online, how secure is the credit card number in the online renewal form emailed to someone on staff?
It depends. That’s why we recommend using PCI-compliant ecommerce systems, such as Authorize.net or PayPal, instead of a DIY approach. PCI compliance requires two-factor authentication for any remote access to the cardholder data environment—in this case, the web app for the online form and the email server.
Weak or stolen user credentials are used in 95% of all web app attacks. With 2FA turned on, even if someone has the password to access your online form or email server, they still need the code sent to someone’s phone to get in.
4. Two-factor authentication prompts you to assess security needs.
Conduct risk analysis on each of your systems to assess the need for two-factor authentication on each of them. Take into account the mission-critical aspect of each system, consequences of a security breach, user impact of 2FA, sensitivity of the data, compliance requirements, and so forth.
For example, the extra layer of security provided by 2FA is a no-brainer for your financial management system and other systems where PCI compliance is required. The decision to add two-factor authentication to your AMS will depend on what’s more critical: the ease of logging in or data security.
We’ve gone through this assessment process ourselves at DelCor. We take safeguarding our clients’ data seriously so we set up two-factor authentication on access to our CRM. But, we don’t require it on less critical systems, such as our videoconferencing software.
5. Two-factor authentication is becoming a fact of life.
Cyberattacks aren’t going to stop, in fact, security experts believe they’ll get even worse. 2FA allows people to work remotely and securely. Some staff may resist it, seeing it as another hoop to jump through to get the data they want, but they’ll get used to it.
Staff’s resistance to two-factor authentication will depend on their experience with it in personal contexts. The technology has been around for years, but it’s becoming more prevalent. Slack, Google, Evernote, Snapchat, Dropbox, and Facebook all have 2FA, but many people don’t have it turned on.
Implement 2FA to keep your association out of the security news.
Learn from Podesta’s experience and turn on two-factor authentication for your critical personal accounts, like Google. Get used to changing your personal security habits because it won’t be long before your IT department will want you to change your professional security habits too.
How does your organization’s cybersecurity stack up? Download our infographic, Is Your Association Protected from Cyberattacks?, to learn where you might be vulnerable, so you can remedy weaknesses before they become problems that makes headlines in your industry.