The War on Security : 2-factor Authentication

Staying secure.

Getting hacked, although rare, is a nightmare of lost productivity, wasted time and sometimes irretrievable loss.

Not a week goes by without a story appearing in the tech press about the latest victim of hacking – and with a life revolved entirely around the cloud it’s time to up the game.

Since 2014 we’ve ONLY used TLS/SSL security to access our cloud services and servers (https, or the little green padlock you see in the browser window). This was a big step towards securing both our infrastructure and that of our clients. We were the first major WordPress Agency in the UK to adopt 100% TLS/SSL for all new digital services back at the end of 2013.

As WordPress is one of the world’s most hacked platforms, it would be rather careless (incompetent?) not to use up-to-date security standards when working with clients digital services that, in turn, generate millions of pounds of revenue.

What TLS gives you is the assurance that information is encrypted between devices and servers – what it doesn’t do is assure that server are not hacked directly. This is trickier to control as it often outside the control of either our clients or ourselves.

It also doesn’t stop direct hacking to the WordPress platform via “injection-style” attacks that can originate from holes and leaks in WordPress plugins, services, functions and themes.

Enter “Multi-factor authentication”, a rather posh way of implementing security that needs more than just a password to access services. In our case we have elected to use mobile devices to act as that security device in addition to the good old fashioned password.

The additional device is required to complete the logging-in process, so even if a password was stolen or cracked, an attacker still couldn’t gain access to services without having the other device, which is in turn encrypted and secure.

And finally, we additionally encrypt the venerable old password using a sophisticated encryption platform, LastPass. This ensures passwords are not used more than once, they stay secure and our team have no direct access to the password themselves.

Belt, braces, rope, chain and the whole gamut of high-security. All as standard in our offerings.

Paranoid? Google’s spam guru, Matt Cutts, put it best: two-factor authentication is a simple feature that asks for more than just your password. It requires both “something you know” (like a password) and “something you have” (like your phone).

Using a well crafted security policy ensures we have the tightest controls over access to server, systems, applications and digital services. Clients, and users alike, can be assured that we really value their privacy and security and not playing fast and loose with sensitive information.

And it’s easier than you think for someone to steal your password. Any of these common actions could put you at risk of having your password stolen

  • Using the same password on more than one site
  • Downloading software from the Internet
  • Clicking on links in email messages

2-Step Verification can help keep bad guys out, even if they have your password. How neat is that?

How we use Multi-factor authentication

Everyone in the team has access to our Password Platform, LastPass – this automatically manages and serves up passwords to anyone who needs a password, but without them seeing what the password is. This is the first line of security, the first factor in the security path.

When a team member tries to access the digital service, regardless of what it is, a second token is sent to the registered device (mobile phone) as a “Time-based One-Time Password” which is then quickly scanned or directly entered into the service being requested. If all is well the user is permitted access, if any of the steps are wrong, or the information incorrect the access is blocked there and then.

We use Google Authenticator on the phones to provide rolling codes so it’s easy to use and access without compromising security. Some services use SMS to deliver the codes, some use the internet. Either way, we are assured that we really do know the identity of the person trying to access the systems.

No more shared passwords, no more spreadsheets sitting on open drives containing login information, no more untraceable system access.

Want to implement multi-factor yourself?

Here’s a quick list of the digital services we use, and how to secure them.

Finally, many digital services use Google Login functions (such as Zendesk) and we use Google’s native multi-factor authentication process where possible as it’s easy, secure and widely supported.

I’m sure you’ll use other and different digital services so go hunting, maybe you can start here. Interestingly, it’s not just business services that are getting turned onto proper security, both Facebook and Twitter support multi-factor authentication, although they use more friendly language.

Be safe out there!