Large corporations have been employing two-factor authentication and multi-factor authentication for years to protect against customer identity theft, fraud, data theft, phishing and other cybercrimes. However, with statistics showing hackers are increasingly targeting small businesses, now small enterprises, mid-sized businesses and even work-at-home entrepreneurs are embracing the technology. Due to the complexity, expense and lack of knowledge about the best way to implement such systems, many businesses are still hesitating despite the risk.

That’s foolish, however, since IT experts now regard two-step authentication as a basic security feature that all businesses must have. This article contains tips and strategies to help slow-to-act business owner’s transition into the technology. For more information regarding enterprise security, check out our Certified Information Security Manager (CISM) certification program.

What is Two-Factor Authentication?

Two-factor Authentication (TFA) is a two-step login process that uses more than a typical username and password/PIN. TFA requires a second layer of verification in addition to that. A physical verification of identity may be required, whereby the person (worker or customer) uses a key, smart card, fob or USB token; in the case of customers, these can be mailed along with readers or computer attachments. A tablet or Smartphone can also be used as the physical factor through the use of a time-sensitive code that is sent to the device during login; this is the most common method for online businesses to employ for their customers.

Other TFA setups require no physical verification, but instead memory. Memory verification requires the user to identify personal images as they log in or orally state a phrase that only they know. Alternately, they can type in a phrase. In some sophisticated networks, fingerprints or facial identity recognition is used.

The benefit of the two-factor system is that even if a thief or hacker acquires knowledge of someone’s username and password, it’s useless without some type of physical or secondary verification.

Initial Considerations

Before jumping into process of instituting two-factor-authentication, take some time to plan what type of login process you want, what provider will install and configure the system and what media methods you desire (tokens, cards, code transmission, etc). Decide what budget you want to set up and what employee will manage the system and be responsible for upgrades.

After you know that, take advantage of the following tips to make sure your decision is sound.

Six Tips for Setting Up and Using TFA Efficiently

1. Shop for affordable alternatives to the Big Three

Since the dawn of multi-step authentication, three dominant companies — RSA, VeriSign and Pinsafe — have answered the calls of big corporations seeking to employ the new technology. However, these providers are prohibitively expensive for smaller enterprises.

If you haven’t considered TFA because you’re scared of the pricing, know that there is an array of companies catering to small shops who don’t have big budgets for security.

Here are a few affordable options to consider, although there are many more:


Twilio- Twilio specializes in mobile two-factor authentications; they do away with expensive keys and cards, relying only on mobile devices like Smartphone’s. The company creates a simple app for your company that users download to their Smartphone’s in order to receive their secondary login credential: a pin that is securely texted to the app, not the customer’s general messaging system.

The setup up is inexpensive because businesses simply pay monthly or weekly and incur no upfront installation costs.

Duo Security – Unlike the major providers, Duo Security, much like Twilio, allows you to avoid the expense of licensing software, installation and technology support. It uses mobile two-step authentication , but also physical tokens, if desired. The mobile options are diverse: those with touchscreen devices can tap their identity; others can receive phone calls or text messages. Businesses are charged based on how many people use the system each month. There’s even a free option for people who only need 10 users each month; this is usually just for personal websites who need security for staff to login.

Phone Factor- Phone Factor relies on mobile devices, like the two companies above. It will use apps, text messages or phone calls to provide the second layer of authentication. It too offers a free level of service for 25 users.

2. Employ a code-based alert system.

Don’t just rely on two types of logins. Pay extra to set up an alert system that will send out notices if a person or an automated robot tries to login after multiple failed attempts. This offers additional protection.

Don’t think that just because your network emails users whenever a password is changed or an order is purchased, that that will apprise them of a breach. If a cyber criminal figures out a way to log in successfully after several failed tries, he can reroute these messages so the account owner is clueless for days or weeks, allowing the crime to grow cold.

Alerts can be arranged in the form of text messages, emails or automated phone calls. The best systems send two types of alerts simultaneously. Also, sophisticated alert systems include a code for gaining access to the account — one that is different from a login code, which a hacker may change.

If your provider does not offer alert options, a third party IT professional can.

3. Update and monitor your two-factor system & notify users of their responsibility.

This sounds like a simple tip. However, you’d be surprised how many business owners install a two-step authentication system and believe the security is permanent and that the system will suffice for years. TFAs are safe, but not failure proof. Even Citibank’s TFA system was violated by hackers.

Since cyber criminals are constantly honing their talents and breaking through TFA buffers, TFA security systems must be monitored, analyzed and patched as vulnerabilities are discovered. Businesses should have an IT manager who can stay abreast of the latest developments in the world of two-step-authentication and recommend auxiliary software or hardware. Don’t think the two-factor system is strong enough to be used alone. The best bet is to make it part of a well-rounded security system.

Even with regular maintenance and updates, an infected user’s computer can still cause a breach. Recently, hackers have been using malware inside browsers to circumvent two-step authentication. This malware can alter account data without the user knowing after a successful login. For this reason, businesses should realize that safety also depends on sending regular advisories to customers to keep their computer security software current.

4. Require TFA for employees’ personal devices.

The growing corporate climate of Bring Your Own Devices can easily morph into Bring Your Own Disaster — as in a security disaster from employee use of unsecured tablets, laptops and Smartphone’s to access a company’s computer network. Prohibiting access with personal devices isn’t the solution, as it would reduce workflow and worker convenience.

Instead, register any employee computing device brought into the office or used remotely and tag them as physical identification devices that require codes in order for a login to be done on the device. Even if the tablet or phone gets stolen, since it is registered, administrators can simply cut off access to that device by nullifying its code and then trace activity on the device. This arrangement would require special setup by an IT professional.

5. Got the bucks? Consider a customized TFA system

Many businesses shy away from a ready-made, one-size fits all two-factor authentication systems. The biggest reason is that they fear customers or workers will be turned off by having to jump through complex hoops to log in to their account. They want faster and convenient but secure options. Customization can provide that, tailoring the login method or media to whatever a company’s users would feel comfortable with.

Want to learn more?? The InfoSec Institute CISSP Training course trains and prepares you to pass the premier security certification, the CISSP. Professionals that hold the CISSP have demonstrated that they have deep knowledge of all 10 Common Body of Knowledge Domains, and have the necessary skills to provide leadership in the creation and operational duties of enterprise wide information security programs.

InfoSec Institute's proprietary CISSP certification courseware materials are always up to date and synchronized with the latest ISC2 exam objectives. Our industry leading course curriculum combined with our award-winning CISSP training provided by expert instructors delivers the platform you need in order to pass the CISSP exam with flying colors. You will leave the InfoSec Institute CISSP Boot Camp with the knowledge and domain expertise to successfully pass the CISSP exam the first time you take it. Some benefits of the CISSP Boot Camp are:

  • Dual Certification - CISSP and ISSEP/ISSMP/ISSAP
  • We have cultivated a strong reputation for getting at the secrets of the CISSP certification exam
  • Our materials are always updated with the latest information on the exam objectives: This is NOT a Common Body of Knowledge review-it is intense, successful preparation for CISSP certification.
  • We focus on preparing you for the CISSP certification exam through drill sessions, review of the entire Common Body of Knowledge, and practical question and answer scenarios, all following a high-energy seminar approach.

Smartcards, fobs and texted code words may be standard, but a company can come up with any kind of distinct media or login process. Some popular customizations use cookies as the second layer of verification, allowing logins to be super fast and no-hassle for their customers. Other special options include one-time passwords that never have to be entered again if the same device and IP address are used. The alternatives are endless.

6. Don’t forget to turn on two-step authentication on your domain or all your business TFA security can still be lost.

Customers, workers and the company network aren’t the only things which have to be protected. Sadly, if you have not secured your business domain with two-step authentication, your customers could still be at a risk for fraud and hacking. According to Sophos, a global company that specializes in computer security, hackers are now phishing for customer account info by breaking into hosting accounts, particularly those at GoDaddy, and discreetly setting up subdomains where they can phish for customer information. What happens is, the hacker will send email blasts with a link to the subdomain, tempting customers to login because it looks like a secure page connected to the real site’s URL. Once inside, hackers can lure customers to turn over credit card information and any other sensitive information.

With the continuous spike in online crimes, businesses can’t afford to sit idle and pretend current security is enough or that two-step authentication is too time-consuming to embrace. Don’t wait for a breach to realize the importance of TFA to your customers and business.