New Zealanders should consider two-factor authentication as part of their everyday online interactions – or at least that's the word from the New Zealand Bankers' Association.
Two-factor authentication (2FA) can involve signing into an application or website by using a combination of methods, including passwords, SMS verification, email verification from a different account or biometrics such as fingerprints.
“In short, 2FA is an extra layer of protection on top of your password. With 2FA in place, if an attacker knows your password, they won't necessarily be able to steal your money. It's like having a second lock for your door,” explains New Zealand Bankers' Association chief executive Karen Scott-Howman.
She says it is also important to protect passwords and PINs – but now most banks offer two-factor authentication.
These extra security methods can be applied to online banking access or to authorise transactions over certain limits, Scott-Howman explains.
“Banks do 2FA in different ways. Some send you codes by text message to approve certain transactions, while others use a device or token to provide an extra layer of security for you to access your accounts,” she says.
“It's worth checking with your bank to see if they offer 2FA, and how to activate it.
Two-factor authentication is one main focus point in this year's Cyber Smart Week, which runs from November 27 to December 1.
The Week is organised by New Zealand's Computer Emergency Response Team (CERT NZ) and Connect Smart.
CERT NZ says that people should be wary of ‘rogue codes' – if people receive a code for an account they were not trying to access, someone else may be trying to access it. CERT NZ also says that many businesses don't use two-factor authentication as part of their security – but this needs to change.
2FA can bring benefits including stronger login security, data theft reduction, user protection, a balance of security and usability if systems are prioritised correctly; flexibility for remote working; and it can be inexpensive to implement.
“If you're not sure where to start, think about which systems you connect to via the internet. Those are the systems that attackers can more easily get access and credentials from. Because they are easier to target, those are the systems that are most important to protect. These are likely to be webmail, a VPN or any other cloud-based services,” CERT NZ says.
“Two-factor authentication can't be 'switched on' during or after an attack. Businesses need staff and customers to enable and use 2FA before an attack for it to be effective.
Because two-factor authentication is not a fool-proof security measure, CERT NZ encourages businesses to use additional security practices.