In two decades plus as an IT security expert, it has been apparent to me that when technical people begin to explain IT security issues to business executives, glazed expressions sweep through the room like a Mexican wave if technical terms are used. So the purpose of this “IT Security Explained” series, which began with my article on “Phishing”, is to remove these mysteries behind the IT Security jargon and ultimately to aid businesses in becoming more aware of the dangers as well as to help businesses help themselves.
We tend to forget during the internal battles for budgets and resources that without the Business there would be no IT or IT Security needs and without IT and IT Security there may not be a business left to manage. The key to unlocking IT Security is better internal communication and realizing that IT is integral to business, while it is the business whom IT departments are there to serve.
Speaking of keys, that’s the theme of this, my second post in this series. Here we consider something called “Two Factor Authentication”. I will now explain what this actually is and why you should be using it.
Imagine a building which contains something of high value, something to be protected. We could lock the door with a key or we could lock the door with a combination lock. To be really secure we would have both types of lock, so that to enter the building we need both a physical key and the passcode.
Two Factor Authentication is the digital equivalent of the case of having both locks on the door – but with one vital difference: the passcode on the combination lock changes every few seconds! Imagine now to get into the building, we have to have both the key (password) and the one time code for the combination lock.
So with standard authentication, to access an online account we just need a key (the password), but with Two Step Authentication, we need both the key and the one-time only passcode.
Most of the bigger companies provide “Two Factor Authentication” for free and you may already be using it. Gmail, LinkedIn, Facebook, Twitter all have this as an option and if you are using these for business you really should have this protection turned on. These work by sending the passcode via SMS/Text message direct to your mobile phone or via an App installed on your phone, after you’ve entered your password. Receiving passcodes via SMS/Text message can also be useful as an alerting system, because if someone steals your password and then tries to access your account, this will trigger a passcode to still be sent to your phone. Therefore you immediately know if your password has been compromised. If you receive a code when you are not expecting it, you know you need to change your password, not just on the account which alerted you, but on all and every online account for which you use the same password.
Many accounts accessed can also be integrated with the Google Authenticator app, which can be found at
This is app is worth serious consideration, if you are not using it already.
For some online banking systems, you might be provided an individual app which works similarly to Google Authenticator or even provided with a small physical device which usually looks similar to a small calculator or a key fob with a digital screen which displays the passcode.
Thanks to Gary Sharpe for his editorial assistance.