Enable two-factor authentication to protect your data

If you follow the news, then you most likely have heard about two major ransomware virus outbreaks that hit dental offices last year.

First, there were 400 offices mostly in Wisconsin that were hit in August, and then another 100 or so from Colorado that were hit in late November. In a previous article, I talked about ensuring that your IT company uses “2FA,” but since that’s so critical, I want to focus this article on a more in-depth look at 2FA, also called Two-Factor Authentication.

While there are many ways to protect your data and online accounts, in my opinion, the best method is Two-Factor Authentication. Two-factor authentication (also sometimes called “two-step authentication”) is a way to increase security. Instead of just a password, there’s two parts involved: Something that only you know, and something you have with you. The former is usually an existing password. The latter is some external object you own, such as a smartphone, or your email account.

When logging into a site, after entering your password, the site will use one of two methods. Depending on how 2FA is set up, the site will either send your phone a text message with a code, or use an app on the phone (tied to the site) that generates a code. After the code is entered into the site, you’ll log in as usual. Some sites will allow you to check a box that makes the device “recognized,” so you don’t have to keep re-entering a code. However, I don’t recommend this, as a lost or stolen phone would put you at risk. There are some custom apps, but one popular app used by many 2FA-using sites is Google Authenticator.

So, what are the reasons you would or would not do this?

On the plus side, because you need two separate items to log into a site (the password and a phone), and because you likely have the phone with you, the security is increased exponentially. Also, as many of you know, hackers use brute force attempts to hack passwords, and 2FA makes this very difficult. 

On the minus side, some people aren’t comfortable giving out their phone numbers to sites, and without a phone number or app, 2FA isn’t really going to work well. Obviously, it’s inconvenient to have to wait for and enter a code every time you access a site, especially if you log on multiple times per day. Finally, if you lose your phone, you may be locked out of the site. Some sites deal with this by generating a set of emergency codes to keep stored or printed out. The codes are useful in case a smartphone isn’t available.

At the very least, if you allow your IT company to provide remote assistance, make sure whatever software they are using uses 2FA, as this was the most likely way that the offices in Wisconsin and Colorado were attacked last year. Just ask them what remote control software they use and whether it uses 2FA to secure access. Another way that IP companies can restrict access is by having the software only allow access to a specific set of computers (the ones at their location), and blocking everyone else.

It’s important to realize that 2FA isn’t foolproof; there are reports of hackers still being able to bypass it. Despite the potential inconvenience, I highly recommend you enable 2FA for as many sites as possible. This would include credit card sites, banking, telephone, and utilities. In almost every case it’s free to do this, and you’ll sleep a lot better at night.