Why Multi-factor Authentication?
Your website's security is obviously of high importance to you (and to Gecko of course) and protecting your and your client's data is paramount to any business. For decades now the simple matter of inputting a username and password has been the standard for accessing websites and applications across the web but this is changing as concern for online security is on the increase. Because of this, more and more businesses are choosing to investigate the possibilities of protecting their applications with Multi-factor authentication (MFA) methods that add an extra layer of security to the login process.
Multi-factor authentication (or 2FA (Two-factor authentication)) has been around for a long time and is by no means a new concept. However, its popularity is growing rapidly as companies are forced to consider ever-tightening regulations around data security. For example, if you have client data in your Umbraco database gathered up by your contact us form, you’ll want to make sure that information is for your eyes only!
So, what is Multi-factor Authentication?
Multi-factor authentication is essentially a second lock to which only you have the key. Entering your username and password will unlock the first door and then you’re faced with a second (and in some cases third depending on how multi you want your authentication to be). The idea behind this is that if (for want of a better word) a ‘hacker’ or ‘bot’ manages to obtain your email address and not so secure password (‘password123', easy to remember) that is not all the information they/it will need to access your account or application.
I’m almost certain you will have experienced this at some point but have you ever been sent a six-digit code via text to your mobile phone after you have tried to log in to something? Well, that’s the second door and your mobile device is the key! So unless the hapless hacker also has your mobile phone handy then they won’t be getting through that second door and your data is protected! And of course, your phone carries its own security measures to keep prying eyes out so the level of protection is increased even further!
A text message isn’t the only kind of MFA available.
Types of Multi-factor Authentication
This is by no means an exhaustive list but here are some of the common methods we might use to add an extra layer of security to your Umbraco site.
Text Message to a mobile device
As discussed you enter your user credentials to log in to your application and after that, you receive a text message to your phone with a code (usually six digits from those I’ve seen) that you must then enter when prompted by your application to gain final access. You will of course have added your phone number to your user account on this application - just make sure you add the correct number to a phone only you access.
Google/Microsoft authenticator app
If your application is hooked up to either the Google or Microsoft authenticator app you would download the app to your mobile device and use this to generate your login code. Enter your login details on the website and when prompted for a code open the app and generate the one-time code for final access. You would do this with every fresh login attempt.
Authorise your login using your email address
This method is slightly different to the two previous but a viable solution all the same. Here the user is sent a one-use login link to their email address each time they attempt to log in to a website or application either before or after the username/password is entered. The link would be valid for a short period of time (say fifteen minutes) after which time it would need to be regenerated. As this is not exclusive to a mobile device using its own security features it may be said that this method is not as secure as others - email account password strength plays a large role in ensuring this MFA method remains secure.
While not strictly MFA this method does still provide a second level of security which would be best implemented for business premises. An IP lockdown ensures your website’s login portal can only be accessed from a specific IP address associated with a particular location - your workplace for example. And while homeworking is in effect either a home IP might be added or preferably the use of a VPN to access the workplace network. This essentially removes all access to the login screen unless you are accessing it from your workplace.
Multi-factor authentication can be applied to any login process and not just that of your Umbraco back-end. You may wish to add MFA to your members' login area to provide extra peace of mind for your users. While MFA does not come out of the box with Umbraco there are options for both admin and members integrations either via third-party plugins or custom-built solutions depending on your requirements and the version of Umbraco your website is running.
If you have any concerns about your website's security, we are of course here to help, so if you would like to discuss multi-factor authentication with us please do get in touch!