A Quick Tech Tutorial: Two-Factor Authentication

Two-factor authentication is a best practice to fulfill authorization and authentication requirements for HIPAA compliance or PCI DSS compliance and can protect your data and business.  To gain a better understanding, Online Tech’s Technical Team shares this quick tech tutorial on two-factor authentication.

Two-factor authentication is a best practice to fulfill authorization and authentication requirements for HIPAA compliance or PCI DSS compliance and can protect your data and business.  To gain a better understanding, Online Tech’s Technical Team shares this quick tech tutorial on two-factor authentication.

Q:  What is two-factor authentication?
A:  Two-factor authentication goes beyond using a user name and password.  It puts a new piece of technology in the mix for better security.

Q: How does two-factor authentication work differently than logging in with a normal user name and password?
A:  Here is an example of how two-factor authentication works.  You have a user requesting access to a system. That user is going to authenticate through a firewall.  It’s going to hit a domain controller to make sure that’s a valid user. Then, it is going to send it to a cell phone and on that cell phone it is going to say approve or deny access.

Once that cell phone sends it to the firewall permission is granted and the person has VPN access. If they don’t have a valid user name, password, or the cell phone setup correctly; they will not get access to the system.

This puts a high level of security into an environment.  So, in this example the cell phone becomes the second factor of authentication and the user name and password being the primary.

Q: Who Should be Using Two-Factor Authentication?
A:  Two-factor authentication is a requirement for PCI compliance. The PCI requirement 8.3 states:

Incorporate two-factor authentication for remote access (network-level access originating from outside the network) to the network by employees, administrators, and third parties. (For example, remote authentication and dial-in service (RADIUS) with tokens; or other technologies that facilitate two-factor authentication).

Anyone with PCI needs to have two-factor authentication.  It would be great idea for businesses that have medical records or social security numbers.  Anyone with sensitive data should be using two-factor authentication in their VPN.