An introduction to two factor authentication (2FA)

SecuritySetup

The evidence is overwhelming that passwords as a sole security method for accessing data are simply not strong enough - people often reuse the same password on multiple sites so if that site suffers a comprimise an attacker can access many other sites using the same password. Unfortunately, despite this knowledge, we still rely too heavily on passwords as the primary authentication mechanism.

2FA provides an extra layer of security designed to ensure that you're the only person who can access your account - even if someone else was to find out your password - by prompting the user to enter a one-time security code that only they can generate using their own device (for example their mobile phone). So even if a malicious actor was to guess / steal your password they would not be able to gain access to your account without your device.

It is our recommendation that 2FA is setup as a default requirement when configuring your clients to access CFS.

Setting up 2FA system options

2FA is enabled for all users out of the box and cannot be disabled, so all users can enable 2FA on their individual account after logging in to CFS under "My Account". You can also force that all of your users setup 2FA, just tick the "Force 2FA for all profiles" option in the System tab of the CFS Console, doing so will require that every user setup 2FA the next time they log in (if not setup already).

If you don't wish to force 2FA for everybody that logs in for example if your system is accessed by the elderly or you're concerned that it may prevent some users from being able to access their accounts - you can also choose to force 2FA on an individual profile basis, simply leave the system option unticked, and tick the "Require 2 factor authentication" option under the "Promotions, notifications and appearance" section of the profile.

Using 2FA

With 2FA forced, the next time a client logs in to their account they will see the following screen:

The steps are written in clear English to guide your clients through the process and the final stage requires the user to input a code from their Authenticator to verify it's setup ok - this extra step prevents your users from setting up 2FA incorrectly and locking themselves out of their accounts.

Clients will then be requested to enter a new code from their Authenticator app each time they login.

2FA is a great addition to security, but should never be used as a substitute for strong passwords so it is worth taking note of some of the other password settings offered by CFS as well, such as ‘Prompt initial password change’ and the password rules… Together this helps to build a safer environment for you and your clients.