What Singapore businesses need to know about two-factor authentication

Amid the escalating trend of online theft and identity fraud worldwide, and recent news of the eBay, Heartbleed Bug, and SingPass data breaches, it is time for businesses to seriously consider adopting two-factor authentication (2FA). The Singapore government has led the way by announcing the introduction of 2FA for e-government services involving sensitive data or transactions.

2FA secures access to corporate networks, Software-as-a-Service (SaaS) and cloud applications, protecting the identities of users. It is an important second line of defence against unauthorised transactions arising from identity and password theft.

A 2FA platform requires a user, upon keying in his/her username and password (also known as first-factor authentication or 1FA), to additionally provide a one-time password (OTP) received via a physical token or on a handphone, to complete the transaction. 2FA transactions based on OTP provide an important additional layer of protection to counter cyber attacks.

Here are five compelling reasons why businesses should adopt 2FA:

1. Passwords alone are not secure enough

In the aftermath of a breach, most companies would call for their users to change their passwords, but passwords, no matter how complicated, can be cracked. We all know that the time taken to crack passwords increases exponentially the longer and more complicated the passwords are, but eventually all passwords can be cracked. As part of an experiment, hackers from Ars Technica were able to crack 16-character passwords in less than an hour.

2. People often make poor passwords choices

People often make poor passwords choices, such as choosing their birth dates and “1234” as their passwords. Even if their passwords meet the standard requirement of at least one number, one upper case letter, one lower case letter, and a special character, they tend to use the same password for every account. The more complicated a password is, the harder it is for the user to remember.

3. 2FA will protect your digital assets, boost consumer confidence, and enhance your market position

If your employees regularly access your company network remotely, whether through a virtual private network (VPN) or by checking email on a smartphone, 2FA makes it much safer and more secure than just a password. With industry espionage on the rise, it has become important for companies to secure their digital assets and prevent unauthorised personnel from accessing classified files and applications.

2FA also protects your end users' personal and financial information. Our social media monitoring has shown that in the wake of the recent high-profile data breaches, end users are now more open to using 2FA as compared to the past when they would complain of the perceived “hassle” and “inconvenience”.

Today, technology bloggers are not the only ones calling for businesses to adopt 2FA – lifestyle bloggers and their readers are clamouring for the same. By adopting 2FA, you are reassuring your customers of the level of security adopted to protect their data within your organisation, thus boosting their confidence in your business.

4. 2FA can be convenient too

There are different ways of implementing 2FA to create more user convenience. In March this year, the National Trades Union Congress (NTUC) removed the hassle of having to create and remember a password by authenticating logins to their U-Portal with token-generated OTPs. Users need only key in their National Authentication Framework (NAF) username and a OTP generated by their token when logging in to the U Portal.

Like NTUC, CIMB Securities have also been innovative in their 2FA deployment. Securities traders key in their username and password (1FA) as per normal when logging in to view their account details and market information. Unlike previously when they had to key in their password each time they wished to execute a trade, they need only key in a token-generated OTP just once to execute as many trades as they wish before logging out.

While SMS OTP is more convenient than token-based OTP, the disadvantages of relying on SMSes are, namely, occasional connectivity issues and malware installed on smartphones that can sniff out the SMS OTP. Nonetheless, SMS OTP remains useful for less sensitive transactions alongside token-based OTP. Users should be given a choice of both options. For more sensitive transactions, token-based OTP is preferred.

5. Companies can achieve significant cost savings with NAF

The cost of installing and managing an in-house 2FA system can be quite significant. As well as the tangible costs of building the 2FA infrastructure, companies have to contend with providing a 24X7 support service to manage end users who find themselves unable to log in late in the evening or over the weekend.

It makes more financial sense to tap on the National Authentication Framework (NAF) which provides a robust security ecosystem, including a secure server location, world-class service level agreements, 24/7 end user support, and transaction-based charging – you pay only for what you use.

The NAF is designed to be very robust and is subjected to regular security audits. As a national system, the NAF is built to achieve a very high availability of 99.999%. To achieve this, it runs an active-active configuration hosted at two geographically-separate data centres that back up each other – ensuring zero recovery time.

Like any security policy, the real value of 2FA is in protecting against financial and reputational loss. You never know when your business – and your users – will be the next target.