A great way to increase the security of your site is to deploy two-factor authentication. Of course, you want to have complex passwords because it makes it difficult for someone to guess the correct login credentials. However, today, hackers have a number of different ways in which to locate the passwords, including the following:
- on a PC that has been stolen or discarded
- on other sites, if an identical password is used there
- via key-logging malware installed on the PC.
In addition to passwords, to heighten your security, you can install SSL certificates on your server and use other forms of encryption, such as the Point-to-Point Tunneling Protocol (PPTP) used for remote access to virtual private networks (VPNs). A simple way to target the login process specifically, though, is to add an additional step, another “factor.” This method – two-factor authentication, or TFA – is now available and recommended for accounts with Google, Microsoft, Facebook, and others.
With two-factor authentication, in addition to inputting a username and password, another piece of login information is required. The most common way to utilize TFA is with temporary codes sent to the user’s cell phone. That obviously makes intrusion into the account significantly more difficult, avoiding data theft and possible lawsuits.
Setting up two-factor authentication for internal server logins
You can establish TFA for a variety of your own internal credentials and also for your customers’ accounts. Here are options to enable a second factor for your website’s administrators and content managers on various systems. Bear in mind before setting up any of these solutions that you will need all those who add content to your site or manage it to be prepared for the new system.
WordPress – If you use WordPress for your content management system (CMS), setting up TFA is incredibly simple. There is a plug-in called Google Authenticator Application. Obviously, it was coded by a powerhouse tech company. All you need to do is install the plug-in. Keep in mind, you want all mobile devices of users to have the Google Authenticator app installed as well. However, the most important thing is having correct phone numbers. If the app is not installed correctly, it is possible to receive the temporary codes via text message or automated phone call from Google.
Joomla! – If you use Joomla! for your CMS, you have a number of different extension options. Because Joomla! is organized similarly to WordPress cloud hosting, it’s the same basic process to get TFA up and running.
Drupal – Finally regarding CMS logins, developers have created various modules for Drupal as well. Be sure to check the reviews for modules to ensure that you don’t run into any issues, which of course could be a major setback for your business.
cPanel/Plesk – Typically you will have the option within your hosting account CP to set up TFA as well. Much of the time, the authentication program that is available is the Google system. Again, make sure you are fully prepared for this change as adding a level of security makes it more difficult for legitimate users to access their accounts as well.
Setting up TFA for customer accounts
For two-factor authentication of customer accounts, you have two basic options:
- Paid solution – You can use heavy-duty TFA programs created by organizations specializing in security, such as Symantec. With any enterprise application you choose for your customers, you have the option to make two-factor mandatory or optional. Google and Facebook, for instance, allow users to decide for themselves. Depending on how sensitive the data is on your site, you may want to consider making it a necessary part of getting into accounts. Just as with preparing those within your own company for TFA, you want your customers to be notified in every possible way. You also want simple but thorough documentation and easy support access if anyone has trouble.
- Develop your own system – If you work with developers or have them on staff, you may want to consider developing your own system. Potentially this option could be less expensive over time, and you can design exactly as desired.
If you do go with the a paid or customized high-grade solution, the advantages are the following:
- TFA can be implemented for everyone – customers, site administrators, and all employees.
- You have a greater degree of options so you can figure out exactly how you want the two-factor authentication system to work for various scenarios. Perhaps two-factor authentication logins are more important to you when users are accessing specific areas of the site. Obviously, your degree of control over the TFA program is particularly enhanced when you develop it yourself.
Using TFA is wise, but it isn’t everything. At Atlantic.net, we also recommend these best practices for e-commerce security, many of which have broader implications for any type of websites including those that are using Atlantic.Net’s secure HIPAA compliant WordPress hosting solutions.