Whether you call it two-step verification or authentication, it’s a hot topic among everyone, from tech developers to corporate CEOs. The idea itself is simple: in addition to a regular password, users provide an added piece of information when logging onto a terminal or into a service or application. The added info is often a one-time password sent to a mobile device (ever try to do your banking on a computer that isn’t your own? You probably hit a two-part authentication process) or simply an additional passcode installed by yourself or your network administrator. And often it’s more than enough to keep out hackers trying to access your system. Google’s been using it for three years, Facebook for two, and Dropbox, LinkedIn, Apple, Microsoft and Twitter have followed suit in the past 12 months. But how effective is it really?
It’s effective, say industry leaders, but certainly not a cure-all for your security worries. Like all security, it’s only as strong as its weakest link. And two of the biggest weaknesses are mobile apps and SMS codes—lose the device and you lose physical control of the authentication procedure. And because most services don’t require a passcode for every login—particularly on network systems—a hacker who has gained physical access to your device can compromise your data.
But there are steps one can take to further bolster the two-factor authentication process. First, use a different password for every service used company-wide, and if you’re a company or department head require that all employees do the same. That means different ones for email, collaboration platforms and software programs. Also, consider a password management program such as LastPass or 1Password —ideal for personal or small-team use—or PassPack for a multi-user environment, which allows employees to share passwords with one another without revealing the actual password.
An application such as Prey can help you track stolen or missing hardware, and Find My iPhone and Find My Mobile allow you to remotely wipe information from smartphones. Lastly, never email passwords, and educate your employees on the most common phishing scam and regularly update them with best-practice information.