Of course, the more mobile you make your information, the more critical it is to secure it and the access people have to it. How can you be sure unwelcome guests aren’t using the same routes your mobile workers use to access company information?
A personal mobile device can be lost or stolen. And your company’s IT staff can’t monitor and safeguard public computers in hotels and libraries.
Even your virtual private network (VPN) and other seemingly secure parts of your enterprise systems are not immune to attack — as this story about a compromised airport network makes clear1
. Signing in to the airport’s VPN was a two-step process, which is generally regarded as a best practice. But a combination of form-grabbing malware (which records the text you type into a form window) and screen-capture technology allowed hackers to conquer both steps, steal passwords and gain access.
So does that mean you shouldn’t bother with multi-factor authentication? Not at all! But not all multi-factor authentication systems are created equal, and today, you need more than just a password to secure critical information. A two-factor authentication setup requires inputting something you know (e.g., a password) and also something you possess. That possession may be a card that you swipe or scan, or it may be your phone or other personal device. In those cases, the system sends you a text, email or phone call, allowing you to acknowledge/verify the request to log in.
In the airport example from above, sophisticated malware was able to beat the two-factor sign-in process. For further security
, then, you can look to three-factor authentication: In addition to something you know and something you possess, logging in requires something you “are” — like a biometric input, such as a fingerprint or iris scan.