We put the IT in city®

CitySmart Blog

Tuesday, April 17, 2018
Brian Ocfemia, Engineering Manager
Brian Ocfemia

With hackers targeting cities through a variety of aggressive attack methods, all common sense best practices that decrease the risk of a cyberattack must be considered. One overlooked method is Two Factor Authentication (2FA)—the practice of using two forms of authorization to access an application. For example, an employee may enter their email login information and then receive a notification through an app on their phone that they use to complete the sign-in process.

Unfortunately, even though 2FA decreases the risk of an account compromise from cyberattack, many cities push back on this idea because they view 2FA as troublesome or inconvenient for users. True, 2FA can be one additional annoying step if you’re used to just typing in your username and password and getting on with your day. But cities handle sensitive and confidential information, and they need to comply with various federal and state laws pertaining to the security of the information they handle. It’s important to ensure that only authorized people from authorized devices access that information. 2FA is a necessary tool in your cybersecurity strategy that can reduce the liability of a potential data breach or compromise.

The good news is that 2FA has improved over the past few years as it has become more mainstream for financial services, email, common social media platforms, and other applications that give access to sensitive and personal information. A few things that may ease your mind about 2FA include:

  • Quick logins: A second authentication factor usually doesn’t add much extra time. We’re talking seconds. On a smartphone, a text message or notification app will quickly provide the means to authenticate. With a press of a button or the input of a multi-digit code, you’re ready to go.
  • No need to log in multiple times every day: Many 2FA authentication services will not ask you to log in every few minutes or hours. While maintaining high authentication security, many tools will only require 2FA with your first login of the day.
  • Easy-to-use 2FA phone apps or messaging: 2FA often involves using an app or getting a text message on your smartphone. If your employees are used to texting and phone apps, then 2FA will feel quite natural.

If you’re ready to explore 2FA, then we recommend a few best practices.

1. Apply 2FA to everyone.

Don’t exempt people. Think of 2FA like an extension of your password and authorization policies. You wouldn’t have a few people exempt from entering usernames and passwords to get to their email. If some people are exempt from 2FA, then you’re creating a weak link that can be exploited by hackers.

2. Train employees.

Don’t assume employees will easily transition to 2FA. Include 2FA as part of your ongoing cybersecurity training. (You are conducting ongoing cybersecurity training, aren’t you?). Explain to employees why 2FA is so important, how it helps stop cyberattacks, and why it helps cities comply with laws and policies. And clearly explain how 2FA will work so that employees understand how to log in and how the authentication process will involve their smartphones or other devices.

3. Rely on experienced IT support professionals to handle any challenges.

As with any technology, 2FA will run into issues as employees start using it. Someone may forget the process. Another may have issues with their smartphone receiving an authorization code. Because 2FA may be a new technology for some people that also involves security, authorization, and compliance, it’s best to have experienced IT professionals managing this tool. These professionals will ensure that it’s working properly, issues are resolved, and it’s used appropriately.

4. Include 2FA as part of your overall logical access security policy (including your password policy).

In a previous blog post, we talked about the importance of logical access security policies—meaning policies that electronically prevent unauthorized people from accessing sensitive information. Part of logical access security includes a strong password security policy—and 2FA can become part of that policy. You may need to flesh out some details in your policy about 2FA such as:

  • The process for logging in
  • Any authentication apps or processes that involve an employee’s smartphone
  • Whether or not an employee can use those authentication apps or processes on their own smartphone, a city-owned mobile device, or another device (such as a landline phone).
  • When and how an employee gets locked out
  • Processes for onboarding, monitoring, and decommissioning employee access and authorization

2FA can be a powerful tool in your city’s arsenal to improve your security, decrease your cyber liability, and increase your chance of preventing a cyberattack that leads to a compromise. By extending your logical access security policy to include 2FA, you will take some important steps toward making your city environment more secure.

It’s possible that a hacker or bad actor in your office, in your city, across the country, or even around the world can gain access to your username and password after you fall victim to a phishing scam. But even if they succeed, they would be stopped dead in their tracks with 2FA. So why has your city not yet implemented 2FA?

Interested in implementing 2FA at your city or improving the way you manage it? Reach out to us today.