Two-factor authentication, sometimes abbreviated to 2FA, is an easy to implement security measure that provides an additional layer of security for web hosting accounts, control panels and the admin areas of websites. Here, we’ll explain what 2FA is, why you need it and show you how to set it up.
What is 2FA?
When you log in to an account, you normally have to fill in a username and password. The username is there to identify you so that you log in to the right account and the password, as no-one else is supposed to know it, verifies your authenticity. The password, in this case, provides one-factor authentication.
Two-factor authentication requires an additional method of verification. In most cases, once you have logged in as normal, a text message or email will be sent to you with a unique security code which you will need to enter in addition to the password. This means anyone else with your username and password would be unable to log in to your account without access to the device to which the security code was sent. As you will most likely have that device with you when you log in, it’s highly unlikely anyone else will see the code.
What’s more, unlike passwords, security codes are only short-lived, being valid for no more than a few minutes. This prevents unauthorised users from having time to guess them or anyone who gets access to your device using them at a later time.
Today, 2FA has become the standard procedure for logging in to many accounts. Some organisations, like banks, make 2FA compulsory, others, like Google, Microsoft and here at WHUK, strongly recommend it.
Why you need 2FA
Accessing hosting accounts, control panels and admin areas of websites provides lots of opportunities for hackers. It enables them to steal data, such as the personal data of your customers or business intelligence; install malware on your server that can infect the devices of people who visit your site; change your website, perhaps redirecting people to a clone of your checkout page so that customers are defrauded; take over your server so it is used to carry out illegal activities, such as sending spam; or, quite simply to take down or ransom your site. These are just some of the many ways that hackers exploit websites.
The point of a password is to prevent anyone except you having access to your accounts. However, though passwords offer some protection, websites that rely solely on them are not impregnable. There are several ways that hackers try to find them.
One of the most common ways of finding a username and password, and one which many users fall victim to, is through phishing. When trying to find the username and passwords of a website, cybercriminals will often forge an email that looks very like one from your web hosting provider, telling you there is a problem with your account that requires you to log in. It will often use an email alias that makes it look like it has been sent from your actual provider.
That email will contain a link that takes you to the login page. It won’t, however, be the genuine page, it will be a clone that looks like it. When you log in, your username and email will then be in the hands of the hackers. What’s more, to pull the wool over users’ eyes even more, once they enter the username and password and click enter, the clone site will redirect them back to the genuine site. They won’t be logged in but, seeing they are on the genuine website, rather than suspecting anything, they’ll just think it was a glitch and log in again, none the wiser.
Cybercriminals will go to extraordinary lengths to carry out these kinds of attack. They will purchase domains with similar names to legitimate companies, create fake sites and email addresses and search lookup sites to find the hosting providers of individual websites (this is publicly available information). They’ll also search your website for the names and email addresses of people to send the phishing emails to and perhaps carry out other research about your company on the internet. All in all, it is a very sophisticated approach designed to convince users that the phishing emails are genuine and this is why so many people have fallen victim to it.
Phishing, of course, is not the only way hackers will try to gain access. Some also use brute force methods, using advanced software that will try to guess your username and password. Today, these tools have access to databases containing billions of stolen login credentials and use AI to predict what your username and password are. Able to carry out login attempts at incredible speed; even complex passwords can be cracked relatively quickly. They can’t, however, crack both a password and a 2FA security code within the limited time that a 2FA code remains valid.
2FA can also protect against internal threats. In some companies, the web hosting logins are shared among several employees or even just left lying around or stuck to pinboards. It’s not unheard of that disgruntled or former employees will make use of their access for illegitimate reasons. However, if only one user has the 2FA security code, no-one else can gain access.
How to get 2FA for your WHUK accounts
The team at WHUK strongly recommend the use of 2FA to improve the security of your hosting accounts and website. To help you set up 2FA, we have created a useful, step by step guide on our knowledgebase. You can access it by clicking this link: How to enable two-factor authentication (2FA).