A Vital POPI Act Requirement: Two Factor Authentication

Why are simple passwords not safe enough anymore? And what is two factor authentication? 

Let's take a look at some of the ways you can protect yourself and your business with a better digital security system.

What Is Two Factor Authentication?

Two Factor Authentication or 2FA is a two phase security system requiring a password and/or username and additional security clearance. This can be as simple as a text message such as a One Time Password (OTP) or a complex as voice recognition, but either way, it requires more than one device to gain access. 

This is fast becoming the most secure option to protect your data, be it for your business or just your online shopping. As people have been spending much more time at home, online shopping has soared in popularity, and the more sites you shop on, the more information is out there. 

Good Business Sense 

With many companies having employees work from home, 2FA is constantly growing in popularity. It is a simple system, and people feel safe and confident using it. 

In a business capacity, even in a small or medium business, there is sensitive information that can be damaging to the company if it has to fall into the public domain. Staff details, financial information, and sensitive client information are things we need to keep as safe as possible. 

So, how do we protect ourselves in the best possible way?

Multi-Factor Authentication 

2FA is a subset but should not be confused with MFA (Multi-Factor Authentication). MFA is a process that requires anything more than a single authorisation. If you are using a password, a PIN, and a fingerprint, this becomes MFA, not 2FA. 

How Does 2FA Work?

While it may be almost impossible to entirely secure online accounts, two factor authentication adds a layer of security to a sign-in process. It requires that, along with your password or username, you provide a secondary security option. Ideally, this second option should be harder to hack than your username or password. A simple example of what these could be is:

• Something known
• Something owned
• Something “you”

Some secondary security options are better than others. Depending on the type of information you are protecting, it’s wise to explore all your options. But the bottom line is that any two factor authentication, no matter how basic, is better than a single password.

Something Known

This is something that the user knows: a password, the answer to a question, or a PIN. This is probably the simplest option to use as a secondary security point.

The downside of this is people forget! Even if you write it down (which is not recommended) you can misplace the piece of paper. This leads to people using the same passwords or answers for all their digital sites. 

Cybercriminals are aware of this, making it risky because once one site has been hacked, access can be gained into all of your online profiles. If you are guilty of using one password or PIN for all your online transactions, try and change it up a bit, even if it is adding a capital letter or number that is different in each one.

This security step can also be in question form – your mother’s maiden name or your favourite holiday spot. If so, try and use the option with an answer least likely to show up on your social media!

Something Owned

This is the next level of security in two factor authentication—something owned by the user, such as a bank card, smartphone, or hardware token.

The downside to this feature is that these are material items and can be stolen. But if that is the case, you know to be on the lookout and can close accounts or warn companies before thefts start. 

Something “You”

This is the top of the security heap and a great option for businesses with employees accessing extremely sensitive information. These can also be implemented on a smartphone and can tie in with the something owned authentication but on a higher level.

Biometrics is a security option that will make you feel like a secret agent. The most common form is a fingerprint – simple and easy and requires very little additional hardware or software. Alternatively, you can opt for voice or facial recognition, a common feature on the newest smartphones, or iris scanning.

This is the most secure of two feature authentication as if someone wants to gain access to the details, they have to use you! Not impossible, but slightly more tricky than stealing your credit card!

Why Does Two Factor Authentication Matter?

Everything that you do on your smartphone or your computer is exposed in some form to the internet. Without the proper protection, it is just there for the taking. 

Passwords are easy to crack. Usernames can be broken. But a two factor authentication can make a criminal think twice about following through with the process due to time constraints. 

Why Just a Password Isn’t Enough

Hackers are becoming more and more skilled at breaking passwords and PIN. And when you consider that “123456” is still one of the most popular passwords around, it’s not so hard to understand why!

Humans are notoriously bad at forgetting things and often crack under what is known as security fatigue: becoming overwhelmed by too much information thrown at you so you fall back onto the easiest option available. Names of loved ones, birth dates, or anniversaries are top choices and all quite simple to hack.

So much information is stored online in this digital age. We use smartphones and laptops for work, and online shopping is easy. Based on this, there has been a spike in cybercrime in the last few years, with no signs of it slowing down anytime soon. 

Old security systems are no longer secure, and suppliers are urged to implement tighter safety measures. Consumers also need to be vigilant and protect themselves wherever possible. 

Other Types of Two Factor Authentication

Let's take a look at some of your other options that are a little more business-oriented; once you have a bit more information, you can make an informed decision about what works best for you in a personal capacity and what can be implemented in the workplace. 

Hardware Tokens

Security hardware can come in the form of something small like a key fob or USB drive. These tiny devices produce a new numerical code about every 30 seconds. This code is your two factor authentication where you would enter a username, and then the code appearing on the device at the time. 

While this is an easy way to up your security, it can be a costly exercise to hand out hardware for a large business. Devices can also be lost, misplaced, or hacked.

Software

A popular choice of two factor authentication is a software-based system. This can be in the form of a Time-based One Time Passcode (TOTP). This code is generated by a software system and works via an app. This can be installed on your smartphone, laptop, or desktop. Enter your username and password at the point of sign-in, and a TOPT is then sent to the app. When prompted, open the app, and this will activate your sign-in. To increase the security of this, install the app on a different device to that which you are logging in. 

The benefits of this 2FA are that it is simple and cost-effective and can be accessed from almost anywhere, even offline if needed. The downside of this is apps can be a little temperamental when you are switching phones, and this can cause issues.

SMS Text Messages and Emails

This security option is sent directly to the user's phone. On the entering of a username and password, the online site sends through a One Time Passcode (OTP). This is a system extensively used by sites such as for online banking. 

Alternatively, an email is sent out, and you can confirm or deny that you have requested authorisation by simply clicking a button. Some services such as Facebook offer this option every time there is a login from a new device or web address. This way, you are alerted to any unusual activity.  

This is a great system for low-risk activities but not highly recommended for users accessing personal or highly confidential information. The benefit of this system is that it can interact with any phone as it is a text-based system – no smartphone needed, so it is a cost-effective solution to increase safety.  

Push Notifications

A push notification is a message sent through to the user to accept or deny a transaction. No passwords, no entry codes, nor any additional information is required. While it does eliminate (to an extent) stolen passwords and phishing, it cannot be done without internet access. This does limit its success, but it is a user-friendly and secure way to protect yourself if you have a reliable internet connection all the time. 

A Back-up Back-Up

If you have opted for a two factor authentication system, it should come with a list of back-up codes. The best thing to do with these is to print them out and keep them somewhere safe. This way, you know where they are if you ever become locked out of your accounts for any reason.

Is It Secure?

Unfortunately, nothing these days is entirely secure. But the biggest risk to two factor authentication is not hacking as we know it but what is called social engineering. 

Social engineering is lying and snooping to get the information needed. Peering over your shoulder at the ATM, or a fake phone call. Anyone can call through to an organisation pretending to be you and request that they reset a password. How should they know it’s not you? We can only hope that all businesses have a form of secondary authorisation in place that protects their customers. 

But two factor authentication is safe in itself and is seldom hacked; it is mainly extorted by human imagination!

Two Factor Authentication for the POPI Act 

South Africa passed the Protection of Personal Information Act (POPI) in 2013. The idea of the act is to assist in the protection of data subjects from theft, discrimination, and security breaches. 

Businesses were given eight requirements, each there to help protect the employee’s personal information. No one should be able to release any information about you without your consent. The POPI Act also protects the information of the customer (you). Two factor authentication is key to the act as the law requires a business to use all security measures possible to protect your information.

The Eight Requirements Are as Follows:

Accountability

A company is held accountable for the information that they have, and for what they do with it. They are accountable for upholding and complying with the act and what it stands for. 

Processing Limitation

A business can only collect so much information, the minimum required for what they need. They cannot collect any data without your consent or knowledge. 

Purpose Specification

Data must be collected with a goal and not at random. This information should be kept only for the time that it serves its purpose unless a longer period is required by law. Examples of this are certain business records needing to be kept for a few years.  

Further Processing Limitation 

A business cannot use your information for anything other than what it was gathered for. This included the transfer of information to a third party. If data needs to be passed on, it can only be done so with your consent and the knowledge of where and why it is going. 

Information Quality

The business must take responsibility for collecting accurate information. The data should not be misleading in any way, and it is up to a company to update any information as it changes. It is strongly recommended that any information gathered is done so directly from you. This ensures truth and accuracy as best as possible.

Openness

You are always allowed to know what is being done with your information. The business has to explain to you why they require specific information.

Security Safeguards

The business must protect the information gathered to the best of its ability. This includes but is not limited to:

• Risk assessments for possible security breach both internally and externally.
• Security measures in place such as two factor authentication 
• Regularly updating their security systems to protect from hacking and social engineering.

Data Subject Participation

At any time, you are allowed to request a company do any of the following with your information:

• Delete or edit the data you have provided them with 
• Give you the information in return on what they are doing with the data gathered 
• An explanation for the reason they require your information

It is critically important that businesses know the POPI Act and that they have implemented these requirements. As a customer or employee, it is good to know that your information is not freely available to everyone who asks for it.

How Do I Set up a Two Factor Authentication?

A business can start the process by subscribing to a service that provides advanced authentication. A few businesses offer a secondary security option, so have a look into them and decide what is best for your company.

For your at-home needs, every site has its steps on how to set up extra security measures. But basically, you can open your security settings on a computer or smartphone and request additional authentication.

Consumer Security 

Most consumer services such as Google, Apple, Facebook, and even your banking site have some form of two factor authentication. It is just a matter of locating it and turning it on.  

Set up two factor authentication on any device or site that may have any of your personal information on. Your laptop, desktop, and phone are your top priority, but any site that you frequent should be protected too. 

Security Matters 

You may be reading this now and think that the inconvenience outweighs the risk. Why should you make an effort to change to a 2FA system when anything can be hacked, no matter how you protect it? Think again. 

It is already too late once the money is out of your account, your identity has been stolen or you find you have been “married” without the party and the wedding gifts! Two factor authentication is a minimum effort for maximum security. 

Yes, you have many sites that you visit. Yes, it is going to take you some time. But once it is all done, you can sit back and relax, knowing you are as protected as you can be. Maybe you will still get hacked, maybe you won’t. But at least you have made the process as complicated as possible for a potential cyber thief! 

Make the Effort

In this digital age, you will have personal information somewhere hackable. As an individual, you want to protect your personal and financial information. As a business, you are required to protect company secret- and customer information. 

COVID has resulted in us working from home and shopping online, both of which have their benefits. However, it has also exposed us all to increased security risks from our online activities. 

If you would like more information on two factor authentication and how to set it up effectively, please get in touch with our team, and we can walk you down the secure path of hassle-free cyber-happiness.