How Do We Prevent Hacking on the Cloud Through Authentication?

Failure to adopt two-factor authentication (2FA) or multifactor authentication (MFA) can be a major and costly mistake for those using cloud services. Adding security can make it less likely that you get hacked. Here are some tips to incorporate 2FA or MFA into your business.

• Could Hacking End Your Business?
• Factors to the Rescue
• How Does 2FA Work Exactly?
• 2FA in Action – 3 Steps of Access
• Trusted for Years

Could Hacking End Your Business?

Getting hacked and potentially bankrupted is one of those things that, like a car crash or an illness, can seem to be an unlikely threat until it happens to you. The figures for small business, though, are incredible: one in five small businesses get hacked each year, and 60% of those that do are bankrupt within six months. In other words, a scary percentage of small businesses get hacked each year, and for the majority of those that do, it’s “game over.”

Factors to the Rescue

If hacking is so common, how do we protect ourselves? The simple and most immediate step is making it just a bit more sophisticated to authenticate users so that you don’t accidentally open the door to the enemy.

That means rather than just having a password as your only cloud safeguard is simply not enough: you need at least one additional factor, according to Ed Bott in ZDNet. “An attacker who can get access to an important cloud service, especially e-mail, can commit espionage or sabotage, or he can just wreak havoc,” he says. “The solution is to turn on two-factor authentication (2FA) for every crucial cloud service you use.”

Two-factor or multi-factor authentication can be used for cloud servers or with any other type of cloud service.

How Does 2FA Work Exactly?

You can establish two-factor authentication in a variety of different contexts and configurations, but the concept is relatively simple and straightforward. When you have 2FA enabled, you are typically sent a secret code whenever you log into the account from an unrecognized device. Then you are generally sent a text message or get the code through a mobile app. These are available for various cloud SaaS services, but you can also set one up for your own purposes via an app that meets open standards for creating these single-use and time-bound codes.

One of the primary features of 2FA, then, is that you link each account to specific devices. That can be achieved by sending out one-time messages to the associated mobile devices. Then the code can be entered within a 2FA app on each device to verify it. “[Y]ou can also use an authenticator app, which pairs your device (typically a smartphone) with a web service,” explains Bott. “The setup usually requires scanning a barcode (after signing into your account, of course) or entering a lengthy encryption key.” This same setup that is available to consumers through Facebook, Google, and similar services is used by many businesses.

Scanning the barcode lets the authentication program know the phone used for scanning is trusted. Typically the user has the option of receiving the code text or using the authenticator app.

“I prefer using an authenticator app to avoid situations where I have network access but can’t receive a text message because of a poor cellular signal,” says Bott. “In fact, I have multiple authenticator apps on my smartphone, all neatly organized into their own folder.”

2FA in Action – 3 Steps of Access

Once you get everything set up, here is how you use 2FA in three steps:

1. When you create a login with two-factor authentication in place, after entering your username and password, you will be asked for another verification of your identity.

This step only occurs once with each device, assuming you store the computer as a recognized device. At this point, you need the code described above. That’s typically sent through the smartphone.

2. Get a 2FA code through a text message or an app.

The app generates the codes automatically, and a number should be available immediately when you open it.

One authenticator app can be used with various accounts.

These codes are time-sensitive, so once one is retrieved, it needs to be entered within a short window for it to work.

3. You have access.

Depending on the service and how you have it configured, you either will be established as trusting the device automatically or will have an option to trust it. The safest option is of course to keep all devices unrecognized, but for a compromise between security and efficiency, many companies choose to allow device recognition.

Trusted for Years

Two-factor authentication, also called multi-factor authentication (because yes, you could add more points of verification if you want) has been trusted for years as a simple way to keep networks secure. Even back in 2014, J. Peter Bruzzese was recommending in InfoWorld that “every network should support multifactor authentication, whether in the cloud or on premises.” In fact, he adds, “[h]ad the U.S. credit card companies, banks, and merchants implemented multifactor credit cards (common in the rest of the world), breaches such as the one at Target recently wouldn’t have been such a disruptive event.”

Two-factor authentication is just one piece of the cloud infrastructural puzzle of course. Just as MFA/2FA has been trusted for years, so have we. Atlantic.Net is a market leader in cloud hosting, with over three decades of experience in the industry. Our focus on security also makes us a leader in the HIPAA-compliant hosting industry.