Data breaches and leaks are announced almost every week. Thousands of accounts across different platforms are hacked every day. While such unauthorized access is often the result of misconfigured or unprotected servers, sometimes it is due to stolen login details. Scammers usually target companies and high-profile workers in an attempt to obtain their login credentials, but ordinary people often lose access to their accounts as well.
Phishing emails are sometimes hard to detect, so if you enter your login details for some account on a fake website, a third party will be able to access all your information, or even start using your account for malicious purposes. You can read our article about common phishing techniques and how to detect them, but if you want to protect your accounts better, you should add a second layer of protection – two-factor authentication (2FA). In this article, we will look at the different types of 2FA, what applications you can use, and how to add 2FA to a few popular CMS and e-commerce applications so that you can protect your clients’ accounts. You will also find out how to activate 2FA for your accounts with ICDSoft.
- What is two-factor authentication and why you need it
- Types of two-factor authentication
- TOTP software
- Phone apps
- Browser extensions
- TOTP hardware
- How to add two-factor authentication to your website
- Protecting your ICDSoft accounts with 2FA
- In conclusion
What is two-factor authentication and why you need it
Two-factor authentication increases the security of your account. You will come across different names that refer to the same method – two-step verification, login authentication, 2FA, etc. In simple terms, once you enter your username and password, you will have to enter a token or perform an action to confirm the login attempt. If the 2FA action is not successful, the login attempt will fail, even if the login credentials are correct.
Using two-factor authentication means that you have to verify your identity by using two out of three factors when you want to access an account:
- Something you know. Usually this is your password, but it could be a PIN code as well.
- Something you have. This can be your phone or a hardware token.
- Something you are. In the general case, you have to use your fingerprint, but any other biometric measurement can be used – retina scan, voice recognition, etc. While this option is the most secure one, it is the least popular one
Using two-factor authentication will increase the security of any account. It will make it much harder for a hacker to obtain access to the account, as using social engineering techniques will be almost pointless. You should use 2FA for practical reasons, as long as the provider offers that option. Here are a few examples:
- If you use online banking, you can lose some or all of your money if somebody gets hold of your login credentials.
- Any unauthorized access may result in identity theft as the third party will have access to your personal details and may decide to use them in an attempt to impersonate you.
- If you play some game online, you will lose all the time you have invested and items you have gained through the years, including ones you may have bought for real money.
- If you run a website and somebody gets access to your account, you can lose the site content. Damages will range from spending time and money to restore the content, to going bankrupt if you don‘t have a backup and your brand name gets compromised.
Adding 2FA on your own website will increase clients’ trust and it will be more likely for them to continue using your services as they will not have to worry about the security of their account. If you are worried about unauthorized access to your accounts and about losing money and digital assets, you can understand why your clients may be concerned about such things as well. What is more, you will not have to deal with the aftermath of a client’s account getting compromised due to the lack of additional security measures.
Types of two-factor authentication
Different providers support different authentication options, so you can come across different 2FA types. Here is a list of the most common ones:
- Permanent PIN. This one serves as a second password and it always stays the same until you decide to change it. This option is not very secure because if a third party could get a hold of your password, they could discover your PIN just as easily.
- Pre-defined answer to a question. Many websites use such an option. You have to choose one or a few questions and then enter their answers. Some services use a ready set of questions, others allow you to enter your own question/answer pairs. Upon login, you will see a random question that you will have to answer.
- SMS-based one-time passcode (OTP). This is a widely used option. Every time you log in, the service provider will send you a text message with a token that you will have to enter. This option is more secure as any third party that wants to gain access to your account will need to have physical access to your phone.
- Time-based one-time passcode (TOTP). This is probably the most popular two-factor authentication method. A unique token is generated every 15-60 seconds by an authenticator app or browser extension. You can link that app/extension to your account by entering a secret key or a QR code that you will find in the account, if the service provider supports this type of authentication. The advantage of this option is that tokens expire quickly, so there is no time for third parties to attempt to use sophisticated techniques to trick you.
- Email-based one-time passcode. If you use email-based two-factor authentication, either a code or a confirmation link will be sent to your email address every time you want to log in to your account. Usually, such codes and links expire after 10-15 minutes. The disadvantage of this method is that if your email gets hacked, the hacker will be able to reset your login credentials and then log in to any of your accounts, even if you have 2FA enabled.
- Push notification. With this method of two-factor authentication, you have to tap a notification on your phone. No actual information is sent, and no information can be intercepted, which makes this authentication method one of the most secure ones. To use push notifications, you must install an application from the same provider as the website you want to log in to, and the provider must offer such an authentication method.
- Biometric scan. This includes fingerprints, voice or face recognition. Due to the complexity of implementing and supporting such an authentication method, biometric scan is rarely used. Using a fingerprint or face recognition to unlock your phone and replacing one login option with another is different from two-factor authentication. Some phones offer 2FA that includes a fingerprint, though.
All 2FA methods above are either personal (biometric scan, access to your phone, i.e. something you are or something you have) or website/app-specific (PIN, predefined questions, i.e. something only the service provider handles). The time-based one-time passcode, however, requires additional software. This is the most widely used authentication method, so we will mention the most popular phone apps and browser extensions you can use. It is recommended to use a mobile app as it will be installed on your phone and it would be extremely hard for a third party to access it. Using a browser extension is more convenient and faster for your daily work, but it also makes it easier for other people with access to your computer to log in to your accounts.
- Google Authenticator (Android, iOS). This is one of the most popular phone applications as it is very easy to use. The clean interface allows you to add a key or scan a QR code, and to sync the time of your device with Google’s servers as incorrect time can be the reason for verification tokens not to work. If you want to change your phone, Google Authenticator comes with a handy option to export and import all accounts at once.
- Microsoft Authenticator (Android, iOS). Another application with a very clean interface, but with more options you can use. Cloud backup and screen capture to allow other applications to read the verification codes automatically are a couple of examples. In addition, you can use the application to store and autofill your passwords. For better security, you can enable app lock with PIN or biometric authentication before you can use the autofill option.
- LastPass Authenticator (Android, iOS). LastPass is one of the most popular password managers, but the company offers an authenticator app as well. Unlike other similar apps, this one is available in seven languages and supports custom sorting and searching through the verification codes. The backup option allows you to store your accounts only in a LastPass account, and you will have to install LastPass Manager for that. LastPass Authenticator supports PIN and biometric app lock options.
- FreeOTP (Android, iOS). This is a free, open-source application, so if you are a fan of the open-source project and you prefer not to rely on large corporations for your security, FreeOTP should be your choice.
- MYKI Password Manager & Authenticator (Firefox, Chrome, Edge). This is actually a password manager that also includes an authenticator option. You will have to pair the browser extension with the MYKI desktop or mobile app. All data is stored locally, and not in the cloud.
- Authenticator (Firefox, Chrome, Edge). A simple, but powerful extension. Even if you use it with a desktop browser, you have an option to scan a page for a QR code if you don’t want to copy/paste the secret key. If you select the Manual entry option, you will see different modes – time based, counter based, Steam, Battle.net (the latter are gaming platforms).
- Open Two-Factor Authenticator (Firefox, Chrome, Edge). Another cross-browser extension that allows you to set up 2FA. You can encrypt any entry with a master password, so the passcode will not be revealed unless the master password is entered. This gives you an additional level of security. The extension comes with more than 20 icons of popular services that you can use for the passcode entries.
Some platforms support the use of hardware tokens instead of software ones. You will find NFC-programmable and USB-programmable tokens on the market. Once the hardware token is set up, you will be able to use it without an additional desktop or mobile device – you will only have to use the verification codes that are generated on the hardware token. Every time you press a button on the token, a new code will be generated.
YubiKey and Duo are a couple of examples of hardware tokens that can be used with a number of popular services such as Facebook, Salesforce, GitHub, Coinbase, etc. Some companies offer hardware authenticators that are already set up to work with their services, or even with a specific account.
How to add two-factor authentication to your website
You can enable two-factor authentication for any website or service you use as long as they offer such an option. If you run your own website and people can open an account on it, you can add 2FA support on it as well, and allow people to enjoy the same level of protection you would like to have for your own accounts. Below, you will find more information how you can do that for a few popular applications. We will not mention how to add 2FA to a custom-built website or an app as this will require a certain level of programming skills. If you have those skills, you probably don‘t need a tutorial. If you don‘t have the skills, you would better contact a developer.
If you use one of the applications below, though, you can add 2FA with ease, so you can continue reading.
- WordPress. Similar to many other functions, you can add two-factor authentication to your WordPress site by installing a plugin. You will find different options in the WordPress repository, such as Two Factor Authentication, WP 2FA, or Two-Factor, for example. Depending on the plugin you choose, people will receive a verification code to their email or will have to enter an app-generated code every time they want to log in to their account. You can also select if the 2FA protection should be enforced to all users, or only to certain groups/roles.
- Joomla. Log in to the dashboard and go to Users -> Manage -> click on the Administrator user -> click on the Two Factor Authentication tab. You can select the default authentication method there. By default, Joomla supports Google Authenticator and YubiKey. Once enabled, the 2FA option will appear for any user.
- Drupal. To add two-factor authentication to your Drupal website, download, install and enable the miniOrange 2FA module. Go to Configuration -> miniOrange Second Factor Authentication and sign up for the miniOrange service. After that, click on the Setup Two-Factor tab and you will find 16 different 2FA methods – email, SMS, hardware token, security questions, etc. Choose the one you prefer and you are all set.
- Moodle. Download the Multi-factor authentication plugin. Log in to your dashboard and go to Site Administration -> Plugins -> Install plugins, then install it. You can enable two-factor authentication for different user roles, add security questions, or even enable this additional authentication layer only if users try to log in from specific IP ranges.
- OpenCart. To add 2FA to an OpenCart store, download Two Factor Authentication for customers + admin, then log in to the dashboard, and install it from Extensions -> Installer. Enable the extension from Extensions -> Modules, then go to Extensions -> Modifications, and just click on Save without changing anything. If you click on the top right to see your profile information, you will notice the new Two Factor Authentication option that has appeared there. Any of your customers will be able to enable this option if they want to add extra protection to their account.
Protecting your ICDSoft accounts with 2FA
We offer two-factor authentication both for the Account panel and the hosting Control panel. For either one, you can activate the option from the My Account section, where you will find a secret key and a QR code. You can use either option depending on whether you want to use a phone app or a browser extension. Add the key or scan the code to link it to your favorite app/extension, and from then on, you will have to enter the token generated by the app/extension every time after you enter your username and password. If you create a subuser for a hosting account, you can make it mandatory for them to set up 2FA the first time they log in.
Of course, for maximum protection you should have a full backup of your content as well. We keep a couple of daily backups of all account data (files and emails) for 7 days with our shared plans and for 15 days with our Managed VPS packages. Two more monthly backups are available for 12 full months with our Extended backups upgrade. This way, no matter what happens, we’ve got you covered.
Protecting your accounts is vital as you can easily lose money, personal information, or access to services. Enabling two-factor authentication for any account that supports the feature can give you peace of mind and can save you a lot of time and money that you will otherwise have to spend mitigating the damages if an unauthorized third party gains access to any of your accounts. While some 2FA methods are better than others, not all of them are available with all providers. What is important in this case is that even some protection is better than no protection at all.
Whether you use our services, you have an account with another provider, or you want to offer additional protection to your own customers, you should enable/add two-factor authentication as soon as possible.