For more information:
The ABA Legal Technology Resource Center has been providing ABA members with legal technology guidance for more than 25 years. Visit these resources for more on legal technology:
ABA Legal Technology Resource Center
Law Technology Today
Security essentials: 2-factor authentication
By Joshua Poje
ABA Legal Technology Resource Center
There was a time not very long ago when a law firm was a relatively unexciting target for the average thief. Firm technology was rarely the latest and greatest, and the closets and drawers of the office were more likely to be full of paper than anything of immediate value.
But as we move deeper into the information age, the landscape is changing: Suddenly those immense piles of paper have become gigabytes and terabytes of data, and that’s exactly what many modern thieves crave.
Given this evolution, it’s not surprising that firms have become popular targets for hackers and scammers. Sophisticated social-engineering campaigns and carefully delivered malware have sought to expose the confidential data firms hold on behalf of their clients — and on several occasions these campaigns have been successful.
How can you protect your firm? There are a number of security tools and best practices firms can and should use, but one that has yet to receive the wide attention it deserves is two-factor authentication.
What is two-factor authentication?
Traditionally, users secure their online accounts and services using single-factor authentication — a password. Two-factor authentication builds on this by requiring that users not only know something (a password), but also that they have something, like a smartphone or security key fob. If either authentication method is missing or is entered incorrectly, the login attempt will fail.
ATMs are a classic example of two-factor authentication. To use an ATM, you must know something (your PIN) and have something (your ATM card). If your wallet is stolen, a thief will be unable to access your account because he lacks your PIN, and if someone sneaks a peek at your PIN as you type it in, he’s out of luck unless he manages to get his hands on your card.
In the online world of two-factor authentication, you begin by entering what you know — your username and password. After that has been authenticated, you’re taken to a second screen, where you’ll be asked to input a special code. That code is either generated using a device you own (e.g., a smartphone app) or it will be transmitted directly to you on a device you control (e.g., mobile phone via text or app, landline via voice).
For example: Two-factor authentication in Google
Few online services are used as widely or as frequently as Google. A single Google account may provide access to a person’s email, documents, calendar, search history, photos, website and much more. Given this wide use, it’s a good place to begin using two-factor authentication and a good demonstration of how the process works in real life.
To activate it, log into a Google service and click on the small menu arrow in the upper right-hand corner. A small pop-up will open with links to your profile and to your “Account” — click Account. On the next page, click “Security” on the left side of the screen. Finally, click “Settings” next to two-factor verification to begin configuring the feature.
Once configured, you’ll have several methods of obtaining the verification code that you’ll use in addition to your normal password. You can have the code sent to your mobile phone via text message. You can have Google call you and read the code to you. You can install the Google Authenticator app on your iPhone or Android device to generate a code as needed — even when mobile data access is down. Or you can print a list of one-time-use codes to keep in your wallet or other safe location to use when no other option is available.
Not thrilled with the extra hoop you’ll have to jump through each time you log in? On secure computers that are reliably within your control, like the computer in your office, you can opt to have Google remember you — and therefore not require the second verification when logging in from that device.
Not all online services offer two-factor authentication that works exactly like Google’s, but it’s a solid demonstration of the process.
Two-factor authentication is not enough
Two-factor authentication is a powerful security tool that should be part of your overall security regimen. But it is by no means a total solution. The following still remain vitally important:
- Use long passwords or passphrases mixing uppercase and lowercase characters with symbols and numbers.
- Use different usernames and passwords for different services to avoid a domino effect where one security breach leads to many more.
- Review security best practices periodically and revise your strategy accordingly. Scammers are constantly looking for a way around your protections — you need to be adaptable.
What services offer two-factor authentication?
Many of the leading online service providers today offer two-factor authentication, though the “on” switch can be buried deep in the service’s settings. In addition to Google, you can activate the feature on Facebook, Dropbox, Yahoo, PayPal, WordPress and LastPass. In the legal world, you’ll find two-factor authentication on both Clio and Nextpoint.
This is by no means an exhaustive list. Take a few minutes to review your online services and see if your providers offer two-factor authentication. If so, turn it on — no excuses.
Back to top