Duo 2019 State of Auth Report is now out and it contains some useful information about the evolution of Two Factor Authentication (2FA) and what the best practices are of using 2FA. The report has insights on how 2FA is being used by people all over Europe and North America and how 2FA can be used in the most secure way possible.
For users who have recently implemented Duo 2FA on their login systems, are familiar with the 3 options Duo provides to authenticate themselves. But are all verification options created equal?
The report found that the most commonly used authentication method was SMS (text message) authentication for 2FA. This could be because it is the most offered option among various 2FA providers. SMS authentication is not the most secure option.
For starters, SMS verification is more time consuming compared to other options, such as Push. The report shows that users can, on average, save 13 minutes annually with the Push option over SMS authentication. Users just want to get access to their systems and want to get access to their systems in the most frictionless way possible. SMS authentication seems simple enough but requires the user to remember a 6-digit code. This forces the user to take an additional step compared to Push, where simply tapping the green check mark fully authenticates the user.
There is a common belief among users that the most important accounts to protect are ones that contain financial data. Accounts such as banking accounts, brokerage accounts or any financial accounts are given preference over other personal accounts by a typical user. On the surface this makes sense, as hackers are mainly after your money and it is logical to secure your financial data first but this way of thinking underestimates the sophistication of modern hackers.
Your data from other accounts can be as valuable as your money or in some cases even more so. Hackers can find ways to monetize your data from such accounts. For example, let’s assume you are using 2FA on your bank account and your preferred verification method is SMS. Most 2FA systems have a mechanism for enrolling a secondary device for 2FA if the primary device is lost or stolen. This mechanism is usually tied to your email account. So if your email account is compromised, a hacker can potentially find ways to bypass your 2FA by enrolling a device that is in the possession of the hacker. For these reasons, your email account should be the first system to protect with 2FA if using and external system such as Microsoft 365.
To read the full 2019 State of Auth report, click here.
Call us now to setup 2FA in your firm and to make your firm cyber resilient! 647.426.1004
Faraz Mehmood is a Sales and Marketing Coordinator at Triella. We are a technology consulting company specializing in providing technology audits, planning advice, project management and other CIO-related services to small and medium-sized firms. Faraz can be reached at 647.426.1004. For additional articles, go to our blog page. Triella is a VMware Professional Partner, Microsoft Certified Partner, Citrix Solution Advisor – Silver, Dell Preferred Partner, Authorized Worldox Reseller and a Webroot Reseller.
© 2020 by Triella Corp. All rights reserved. Reproduction with credit is permitted.