Today, 2 factor authentication is a popular feature included in many technology systems being marketed to registered investment adviser (RIA) firms. But what does it actually mean? In short, 2-factor authentication is the process of using 2 different authentication methods to verify a user’s identity, giving them access to, in relation to this blog, an online service. This additional level of security is particular relevant to RIA firms given their access to sensitive client data and that a firm’s employees are generally the firm’s greatest cybersecurity threat. In particular, employees often pose a significant risk to cloud-based systems in which each user accesses the system via his or her own individual login.
The methods, or factors, of authentication available to a user, are generally classified into one of three groups:
- Knowledge Factor: The most common type of authentication is used to verify a user’s identity with technology. This authentication method requires a user to provide a piece of information to gain access to a secure service. (Examples: Pins, Passwords, Patterns, Number Combinations, Security Questions, etc.)
- Possession Factor: This authentication method requires a user to possess a physical item to gain access to a secure service. Using a key to enter a house is an example not related to technology. (Examples: Security Cards, Smartphones, Fobs, Computer, Thumb drive, etc.)
- Inheritance Factor: This authentication method uses information that is inherently unique to the person trying to access the secure service. This type of verification was limited to very high levels of security until recently thanks to the addition of fingerprint scanners to smartphones. (Examples: Fingerprints, Biometrics, Retina Scans, Face Recognition, etc.)
A very common 2-factor authentication process is used by Google Authenticator application. With this phone application, a user must enter a 6-digit code that is generated on his or her smartphone after already providing their username and password. In this example, the user must pass a knowledge factor, which is the username and password, and a possession factor, which would be having access to the smartphone that has Google’s app installed, to access a secure service.
Some smartphone based authentication applications have started using a fingerprint to verify that they are attempting to access a secure service using a username and password. The addition of an inheritance factor would technically classify this process as multi-factor authentication since it would be using more than two methods of authentication.
So Why Should RIA Firms Consider Implementing 2-Factor Authentication?
Using 2 or more authentication factors to secure a service significantly improves the security of a technology system by making it much more difficult to break into the system through an individual’s login credentials. When 2 factor authentication is implemented, a bad actor could gain access to an employee’s username and password combination, but not having access to the second factor (e.g. a third party authentication application or the unique security code texted to the employee’s smartphone) would it make much more difficult for the bad actor to gain access to sensitive information.
Furthermore, many investment adviser cybersecurity regulatory guidance is beginning to highlight the importance of 2 factor authentication. Regardless of regulatory guidance aside, investment advisory firms need to take protection of sensitive client information seriously given the exceptional business risk that is poses. As such, RIA firms need to take the time to develop thoughtful policies, procedure, and systems to do everything possible to minimize the risk of information security breaches.
In addition to a number of common technology applications now offering two factor authentication capabilities as a feature of the system, there are also a number of third party authentication and password management systems which allow a firm to better centralize two factor authentication. Thus, instead of an employee having separate two-factor systems to access each individual system such as customer relationship management (CRM) software, portfolio management and reporting software, and financial planning software, a password manager tool centralizes all user credentials and a single two-factor process for all the systems.
Be sure to check back next week as we further discuss the reasons for an RIA firm to explore utilizing a password manager tool as part of their information security plan.