<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=986590804759414&amp;ev=PageView&amp;noscript=1">
G Suite Admins Blog > Security and Governance, #remotework

Protect Remote Workers with 2-factor Authentication




For some time now, companies from various backgrounds have been searching for better ways to secure their workforce. After all, the workplace is becoming an increasingly complicated environment. We don’t just have employees logging in at the office anymore, we also have team members connecting at a distance with remote working schedules, and individuals tapping into apps from their own devices thanks to BYOD policies.

Even before the COVID-19 epidemic came along to shake up the industry and force more of us to work from home, we were all dealing with bigger security demands than ever before. However, now that global epidemics have proven once and for all that many organizations can allow their team members to work from home, business leaders and admins are going to have to rethink the way that they approach security.

Whether you’re dealing with an influx of remote workers right now, or you’re planning on implementing a new strategy in the future, the road to better security may start with multi-factor authentication, or “MFA”.

Here’s your guide to protecting your remote workers with Google’s solution for multi-factor authentication.

An Intro to Multi-Factor Authentication

Let’s start with a security 101 introduction to multifactor authentication.

Passwords are by and large the most commonly used and most vulnerable aspects of your digital control architecture. According to a report conducted by Verizon in 2017, 80% of hacking-related breaches use stolen passwords that were weak, easy to deduce, or grabbed through a phishing scam.

These days, criminals have absolutely no problem using things like social engineering and human psychology to exploit security vulnerabilities in enterprise. Poor password protection are an example of some of the predictable human behavior that hackers can exploit in the modern landscape.

As more people continue to work from home and use their own devices, there will be even more opportunities for security issues to arise. After all, you don’t know for certain if the Wi-Fi networks, applications, and other tools that your employees are using are secure. Additionally, when your CIOs and IT experts can’t watch over your employee’s shoulder, how do you know that they’re sticking to your security and privacy policies when it comes to things like avoiding dangerous links and websites?

The trouble with relying on passwords alone to protect your business, is that these solutions don’t really provide much information on the unique identity of users. Passwords can easily be shared and exploited, with or without a person’s consent. The security level of a password pretty much relies in the hands of the account holder, and how much effort they’re willing to put in.

Let’s face it, we’ve all used easy-to-remember passwords rather than the recommended multi-symbol codes that our IT leaders suggest. It’s this kind of security shortcoming that has lead to the rise of two-factor and multi-factor authentication in digital security. With MFA, or multi-factor authentication, you have something besides a password protecting crucial accounts.

Some MFA tools ask your employee to enter a code sent to their phone along with their password to access an account. Other, more advanced tools might use things like physical keys or biometric data.

The important thing is that your employees need more than just a password to access vulnerable data. That means that it’s much harder for criminals to unlock your sensitive information.

How Do MFA Tools Work?

As mentioned above, multi-factor authentication can come in a lot of different shapes and sizes. Usually, this secure access control procedure works by verifying the identity of your users with multiple credentials unique to the individual. Generally, two or more of the following credentials are involved:

  • Something the user is: This uses voice recognition tools and biometric scanners to identify a relevant user for an account.
  • Something the user has: This uses a device like a smart key or card to unlock something.
  • Something the user knows: Such as a password, PIN number, or the answer to a security question.

The addition of an extra security measure in multi-factor authentication means that if one of the authentication factors is compromised, like the password, the hacker still can’t get through. That’s because they’ll be impaired by an inability to access one of the other credentials.

If a criminal steals a password from a computer that’s left at a coffee shop, for instance, they won’t have access to the biometric data or unique pin that’s been sent to the customer’s phone. This makes MFA one of the best and simplest ways to secure your Google technology.

The good news? Google has plenty of dedicated ways that companies can tap into multi-factor authentication from within their Google portfolio or G-Suite. Like many other leading technology companies, Google believes that using just a username and password to defend sensitive information just isn’t good enough.

Google’s MFA verification methods, like Titan security keys, Android and iOS security keys, and push notifications through Google authenticator can make a huge difference to your new remote working policy.

Is Two Factor Authentication the Same as MFA?

Two factor authentication is one of the most basic and commonly used modes of multi-factor authentication. You’ve probably already been exposed to this form of security on most social media platforms and SaaS applications, as well as various offline services. One of the most familiar 2FA processes is sending money to someone via online banking. Usually, your bank will ask you to enter a code sent to your phone or email before you can continue with your transaction.

Even taking money out of a bank at an ATM is a form of 2FA. It involves using a physical card and entering a pin number into a machine. MFA, however, can also go beyond basic 2FA strategies. If simply sending a pin number to an SMS account isn’t enough, then businesses can also use strategies like biometric identification, where a program recognizes a person’s voice or fingerprint to give them access to crucial information.

In many cases, for business leaders, multi-factor authentication isn’t just a way to keep information secure and employees protected. Whether you’re implementing this strategy as part of your security plan for an epidemic or global crisis, or you’re doing it just as part of building your business, you may find that using MFA supports your compliance strategies too. Currently, many compliance standards require the use of multi-factor authentication from businesses across all devices.

For instance, the Health Insurance Act for portability and accountability, otherwise known as HIPAA, requires all healthcare providers document the process of data acquisition and transmission. MFA is a strong form of authentication process that can encourage and support compliance with this standard.

Accessing Multi-Factor Authentication with Google

Google recommends using Multi-factor authentication to defend your business against breaches that can often be stolen or lost passwords. Google’s constantly-updated machine learning models make MFA with Google more advanced than ever. You can use the Google machine learning tools to identify suspicious behavior in your environment and act immediately, from flagging abnormal behavior to presenting users with additional log-in challenges.

Google also offers physical security keys like FODO security keys, or the Google Titan security key. This offers some of the best protection around. Indeed, Google WorkSpace (G Suite) accounts with support from FIDO security keys have been able to avoid hijacking according to Google.

Some of the other features that Google offers for multi-factor authentication purposes include:

  • Reporting and auditing tools: Google supports business leaders and IT teams alike with support to monitor team use, establish notifications, and address potential risks through things like audit logs and detailed reports.
  • Unified security dashboards: Security center from Google provides businesses with access to analytics, actionable insights and best practices to help with monitoring threats and acting before damage can be done on a deeper level.
  • Single Sign-on: Businesses can increase productivity and improve employee experience with one-click access to various crucial business apps, both on-premise and in the cloud.
  • Endpoint management: If you’re allowing your team members to use their own devices when they’re working remotely, or on the move, then you’ll need a way to defend those devices from attack. Google offers endpoint management as part of the MFA solution for G-Suite customers.

MFA and Google Identity Platform

One more recent addition to the multi-factor authentication strategy offered by Google in recent months, came after Google conducted a study with the University of California, San Diego, and New York University. During a comprehensive study, the Google team looked at how effective things like basic password and account hygiene might be at reducing account takeovers.

Google’s research with the two leading universities found that something as simple as adding an SMS text as a second factor to a Google account can block up to 100% of things like automated bots designed to break into accounts with simple passwords. Additionally, multi-factor authentication methods can also help to protect against about 96% of bulk phishing attacks. The results also showed that MFA is effective at preventing around 76% of targeted attacks too.

To help companies of all sizes to protect both their apps and their users, the Identity Platform within the Google portfolio has also been recently updated to support multi-factor authentication. The support for SMS based MFA is now in beta, and it allows companies to configure their identity platform to ask for additional steps from users.

Configuring the Identity Platform with MFA requires users attempting to log into an application to enroll in two-factor authentication or multi-factor authentication methods and register a device that can receive SMS messages. When users attempt to sign onto an app using their first-factor credentials like email addresses and passwords, social log-in, and SAML, Identity Platform asks them to enter an authentication code. Individual codes can then be sent to users via SMS before they can sign into crucial apps and services.

Should You Add Multi-Factor Authentication to Your Strategy?

Multi-factor authentication is just one component of a comprehensive security and privacy strategy for many companies. These tools come with a small cost attached to them both in terms of actual expense, and the time that it takes to teach your employees how to use new services. However, the minimal cost that comes with implementing MFA tools is far outweighed by the benefits that these extra measures can provide.

Although adding MFA to your security and privacy strategy can represent a small inconvenience at first, it also means that you’re more likely to be compliant with the latest regulations and strategies for security and privacy. Whether in times of crisis, such as with the COVID-19 pandemic, or not, companies that go above and beyond to protect their employees, and their customer’s data are the ones that often stand out from the crowd.

If you’re not sure whether MFA is one of the tools that you should be using to defend your company in this new digital environment, reach out to Apps Admin today for more information. We’re always here to help.

Get Started