Stupid Simple Security Tip #13 – 2FA or Not 2FA
We’ve established the importance of securing online access and the need to employ unique passwords. Still, password protection alone isn’t enough – you should enable another critical layer of verification with any restricted account.
The bad news is that only 39% of lawyers are making use of this, according to the ABA 2020 TechReport.
The good news is that this additional security is already built-in to almost every portal. You need only turn it on.
You’ve likely already been asked to enable Two-factor Authentication (2FA) and skipped it out of convenience or unfamiliarity. Let’s address the excuse I hear the most and rectify it.
Most common reason: (activate whiny voice):
“But it’s more work to sign in and it’s annoying.”
Let me ask you this:
What is more annoying, taking a few seconds when logging in every few weeks or months, or dealing with a data breach?
Fact: your critical accounts are under attack. The bad guys really want to get in.
Choose your own adventure here, do you:
- Act lazy and whiny and NOT enable a free security layer you have access to that would drastically increase the security of your practice?
- Take a few minutes to set it up, educate your team on the why and how, and greatly increase your security by enabling this security layer?
One more scenario.
Let’s pretend you suffer a data breach and you’re now answering to an ethics committee as to why you didn’t have 2FA enabled?
How sympathetic would they feel to your response: “It was annoying?”
If a site you use only requires a password to get in and doesn’t offer 2FA, there’s a good chance that it will be eventually be hacked.
2FA is an extra layer of security used to make sure that people trying to gain access to an online account are who they say they are.
First, a user will enter their username and a password.
Then, instead of immediately gaining access, they will be required to provide another piece of information (that’s the 2FA – Two-Factor Authentication).
There are many options for 2FA, like a secondary pin to a physical possession (key fob that generates a token) to personal security questions, GPS location, biometric signatures, or access to an independent account (SMS/email – another reason to use different passwords!). Then there’s MFA…..all too complex and likely a point where I lose some of you.
What I want you to take away from today is that the overwhelming majority of your online accounts should have 2FA available and you should take the time to set this up.
Take the time right now to return to those ten prime accounts where you already replaced your passwords and make sure that 2FA is enabled – there should be a link somewhere on the access screen (if not, check the help section, Google it, or call the institution).
Confirmation will take just a minute, and likely won’t be necessary with every log-in, usually after a prolonged absence or when you sign-in from new devices or locations.
You’re safer already!
Never think of the second factor as an inconvenience that takes all of 12 seconds, but a layer of comfort that brings peace of mind. And please don’t ever tell me ‘it’s annoying’ so I don’t use it – that’s a sore spot for me J.
Officer: “There is no sign of forced entry.”
You: “Yeah, well I would have locked my car, but I would have had to open my bag, take my keys out, press the buttons, just too much work.”