The most common forms of two-factor authentication (2FA) are SMS text messages and apps which generate codes which change every 30 or 60 seconds or so. To many, these choices might seem negligible. You are just essentially opening an app (either the “texting” app or the authenticator app) to get a 6 digit code whenever prompted. To the end-user, this probably feels like it is basically the same experience. I feel very strongly that authenticator apps are much safer and more secure than SMS-based text messages for 2FA. Let’s take a look at a few reasons why that is the case.

Apps Don’t Expose Your Phone Number

The latest privacy and security nightmare at Facebook is a reminder that tech companies don’t always use your data in the way they claim they will when they request it. The Electronic Frontier Foundation has a great write-up in their article, You Gave Facebook Your Number For Security. They Used It For Ads. The title sums up what Facebook and many other tech companies do… once they have your data on file for one reason (such as security) they may turn around and sell it to advertisers. In the case of a phone number, this means more spam phone calls.

Phone Numbers Are Only As Secure As Their Service Providers

Social engineering attacks against high-profile individual commonly involve their wireless carrier. For example, cryptocurrency investor and co-founder of angel group “BitAngels” has filed a lawsuit against AT&T for $224 million after what he claims was, “AT&T’s willing cooperation with the hacker, gross negligence, violation of its statutory duties, and failure to adhere to its commitments in its Privacy Policy”. After the attacker gained access to the phone, he was able to steal roughly $24 million worth of cryptocurrency.

Phones connected to wireless carriers have an inherent liability that authenticator apps do not have. The potential for an employee of your carrier to intentionally or accidentally expose your account to an attacker impersonating you or stealing your identity is a concern. It might not be something that the average person worries a great deal about, however the greater someone’s profile, the more that it should factor into their decision making when it comes to their digital security. Celebrities, political figures, and certainly C-Suite leaders at any organization should start to think of themselves as potential targets of this kind of attack and take relevant precautions.

What Should You Use?

There are several good, reliable options out there for authenticator apps so that you can replace the use of SMS text-based authentication wherever possible.

Google Authenticator

Google’s App has been a staple of this space for a long time. It is simple, clean, and easy to use. It is also available cross-platform.

Authy

If you aren’t comfortable using a Google product for any reason then Authy is a great option. It is another beautiful app that will work on Android and iOS devices and should be compatible with all of the same apps and service’s that Google’s authenticator is.

Google Titan

Best Possible Option: Physical Authentication Keys

If you are really serious about security, then consider going a step further and acquire a physical authenticator key. The first to gain major popularity were the “Yubikey” made by Yubico. They were so successful at Google that Google claimed that they had eliminated employee account takeovers for accounts protected solely with Yubikeys.

Google now also makes their own version of the security key known as the “Google Titan Security Key“. Both Google and Yubico’s products retail for about $50.

Last month, I wrote an intro to Blockchain technology, calling it “A Glimpse at the Future of HR Data“. Now, I want to take you a step further to show some examples as to why this technology is poised to be so disruptive to many common business processes.

Get to Know “Smart Contracts”

Some cryptocurrency coins, such as Ethereum, go a step further than Bitcoin and enable a process to take place on top of the blockchain which is almost like an app or a program integrated with the data. These so called “smart contracts” are instructions which can intelligently execute actions once certain conditions are met within the blockchain. This layer of automation has many in the tech world very excited because of the possibilities for streamlining workflows and boosting productivity. Not only could this significantly impact your workforce but also your HR processes. Let’s take a look at some examples.

Productivity & Organization

Software giant Oracle recently filed a patent titled “managing highly scalable continuous delivery pipelines” for an internal workplace blockchain to manage the office of the near future. Such a system could keep track of employee work behaviors such as the status of an ongoing project, goal achievement, target delivery, and contributions from team members. Your managers would be better enabled to truly support their direct reports as team leaders instead of just “managing” day-to-day activities. And since the blockchain is reliably secure, it can be trusted with proprietary data and other significant details.

Onboarding

It is a huge task for any organization to get a new hire up to speed. It involves a coordinated effort across teams, ranging from HR to IT to management and their team. The process however involves a template of sorts… every new hire follows a similar path. There’s the common checklist of ID card, email account, access to computer systems, documents to sign, and so forth.

Much of the burden of this roll-out can now be automated using smart contracts on a company’s Blockchain network. The administrator could enter a little bit of information, such as someone’s name, or other basic details, and the program could take it from there and automatically populate many of the elements of that onboarding checklist which would have once been done manually. Think of the time and energy you, your management and IT teams could save.

Transitioning an Employee’s Exit

In much the same way that it is important to help someone get up and running quickly, it is often just as important to close out an employee’s access when they leave an organization. The automation application of smart contracts can facilitate the removal of someone’s security clearance or building access, revoke digital permissions to files or email, and so forth. In my experience, this is an area where so many organizations really drop the ball, and employees are left with access that they should not have for far too long. It doesn’t matter the circumstances for their departure, how pleasant or nasty it might have been; however as soon as someone no longer needs their access, it needs to be revoked because they represent a risk. As cold and uncaring as that may sound, a responsible organization needs to put their safety and security first and foremost. Smart contracts in a blockchain system make following through on that premise very simple. Changing one line in someone’s personnel file could instantly set off a chain reaction of automated processes removing their access from every system that they no longer need to be involved in.

So you can see how smart contracts are an exciting application poised to make a real difference to business processes. I expect that the way many of your HR activities are conducted can and will be modified or significantly re-imagined using smart contracts through blockchain mechanisms over the coming years.

If you’re interested in learning more about Cybersecurity principles you can read more here on the KardasLarson blog or attend my upcoming webinar on Cybersecurity Principles from HR Jetpack.

By now, you’ve probably heard of blockchain technology in connection with something like cryptocurrency thanks to Bitcoin. Well, the same underlying structure that makes those digital currency tokens possible is being adapted for all sorts of business-to-business purposes. An HR Blockchain of the near future might help you manage your payroll around the world, certify the identities of candidates for open positions, or protect your organization’s proprietary data. Let’s take a closer look at how it all works.

Introducing the HR Blockchain

A blockchain is a digital ledger, like you would use in accounting. Each block is a transaction or series of transactions in the log. The “chain” refers to the ongoing collection of blocks over time as they are added to the ledger. This ledger is copied in such a way that it exists on many different “nodes” or servers networked together. So if you change an entry in one place, it needs to be validated across them all. This makes the entire system very tamper-resistant and hard to hack from the outside since you can’t easily attack all of the nodes and change them at once to successfully convince them all to accept the change. Therefore, a blockchain network is considered to be a highly secure system.

Certifications and Identity

Identity is a core problem for both employers and employees… can you trust that someone is who they claim to be on a piece of paper? Do they really have the degree from the University which the grades and achievements which they claim to have earned? Did they really pass the drug screening? Are they a legal citizen of the country your organization is based in?

There are so many hurdles involved in hiring and sustaining employment, all of which are centered around trusting the identity of the person in question. Blockchain technology is built around the idea of establishing trust. The 2 parties exchanging data don’t need to trust each-other… or even know one another, they just need to trust the system and the processes at work. If you trust that the Blockchain will work, then you can quickly and safely get the data that you need.

So in the near future, all documentation relating to our identities may exist on various blockchain networks which an employer might be able to securely access to nearly instantly verify the credentials of potential candidates for positions without having to make phone calls or do research. Universities could make your records available, and then you as the one who earned your degree could toggle access on for the employer to “view” and verify that record on an as-needed basis. The same could be done for your medical records for something like a drug test or sharing that you’ve had certain vaccinations before traveling.

International Payroll

Running an international organization is a complicated process, and one of the consistent hassles is dealing with local currencies, regulations, and policies regarding paying employees in each of the unique countries in which you operate. Dealing with intemediaries and their fees along with exchange rate volatility is highly inefficient. These issues are leading many organizations to consider blockchain solutions for international payments.

Leading corporate finance blockchain technology firm Ripple has established partnerships with banks, credit card companies, and global money transfer specialists to explore the possibilities of using the blockchain to replace existing models. For example, Ripple has ongoing trials with Western Union, Viamericas, and Mercury FX.

The premise is simple, blockchain technology should be faster and more secure than traditional banking methods. Instructions can be sent anywhere in the world on a blockchain network, and then only converted to the local currency for payment once it reaches the other end. So this method should have the fewest possible steps to go through from source to destination. Rather than taking days or hours, it could potentially happen in seconds.

Outlook

Blockchain technology is poised to be a foundation element of 21st century life. It may become the underlying architecture that is used to build the next-generation of apps and services that change the business processes that we use every day. The goal is to continue to move towards a more efficient and secure exchange of information between people and organizations around the world.

When it comes to our personal and professional cyber-hygiene, most of us like to think that we are safe, clean, and don’t take too many risks… and we probably know deep down that there are some things that we could be doing better.

For ourselves, we want to be vigilant to protect our credentials and private information that could be used to harm our reputation or be leveraged by identity thieves. From an organization’s perspective, those same concerns come into play with the addition of larger data-loss issues and responsibilities to meet many state and federal guidelines.

Let’s take a look at 3 major areas that you can review to be more secure online.

Staying Updated

Whether it is your personal smartphone, your company’s website, or a computer… an outdated system is one that is at risk. Attackers are looking for any way into your data that they can find, and most often that is in the form of an exploit or bug that has been patched in the latest version of an app or operating system. If you haven’t updated yet, then your outdated device or system represents an opportunity for the attacker.

So staying current is challenging, sometimes expensive for an organization, and critical to maintaining a secure environment. Here are some best practices for staying updated:

  • Be Organized: Keep track, in the form of a spreadsheet or database, of all of the pieces of technology that you and your organization use. Determine which of those can be automatically updated safely vs. those which need to be done manually. Assign those manual updates to people who can be responsible for keeping them current in a timely fashion.
  • Minimalism is Good: If the point above is intimidating, then that’s probably a good thing. Most of us have too much technology in our lives. The existence of free apps and services has given rise to a ton of “bloatware”. Our phones, PC’s, and websites are running a lot of junk that we don’t need. Trim out everything that you don’t rely on because those unnecessary services could represent a security risk.
  • Be Realistic: We all run into technology issues that we don’t understand. When you hit that point, seek help. There are terrific resources online if you want to learn. Otherwise, consult a professional to help.

Accounts and Passwords

Have you ever bought a new house, asked for the key and been told to “just use the same one as your last house”? Every door is meant to have a unique key, and that’s the way that you should think about passwords.

Just about every few weeks on the news there is an announcement of a major service ‘s data leak. When that happens, the attacker’s steal the database of usernames and passwords. Then those people, and anyone with access to the list, will try those same username and password combinations all over the web. So if you repeat passwords then it is only a matter of time until you get caught up in this kind of situation. Since most of us only have a few different email addresses or user-names that we can use, make sure that every single website that you use has a unique password.

That raises the absolutely valid point: “But I won’t be able to remember them all!” No, you won’t. And you shouldn’t have to. There are several apps and services that act as password vaults to store all of these passwords. LastPass, 1Password, and KeePass are just a few of the popular options. Using this sort of system, you can have a unique password for every site you use, while carrying those with you on your smartphone and having them auto-fill in your web-browser. It is fast, efficient, and far more secure than any password simple enough to be remembered easily.

The final, and critical step, to securing your accounts is to make sure to turn on 2-Factor Authentication (2FA) on any account that offers it. It is a security layer that will require an extra password, usually in the form of a code sent to or generated by your phone in order to login whenever the website or app doesn’t recognize your device. That means that if someone is trying to hack into your account from Russia or China, even if they successfully get past your password they won’t be able to get into your account unless they are also holding your phone.

Email Habits & Avoiding Phishing

Phishing attacks are emails which come from someone other than they appear, hoping to get you to click on a link or attachment that will lead to an infected site or file. These attacks are incredibly successful because people are generally not very critical of the email that they receive and are often quick to click without considering what they are clicking on first.

A common trait of phishing emails is a sense of immediacy or the sense that you as the recipient are being rushed to respond. The senders of phishing emails often try to capitalize on the recipient’s emotional state to get them to hurry, not look carefully at a misspelled URL or suspiciously named file extension before they click on it.

Here are some tips to improve your email habits to be safer and less likely to be the victim of a phishing attack:

  • Look Before You Click: When you hover your mouse over a button or text link, the URL’s destination will appear in the bottom left of most browsers. If you can’t make sense of where that link is about to take you, then just don’t click on it. The most important factor is to check is the domain to make sure it is properly spelled (attackers often use domains which are close to, but not quite, the real deal.)
  • Don’t Take the Bait: If a service emails you with concerns about your account, go through their website directly. You don’t need to become an expert in reading URLs if you just avoid taking them in the first place. You should always be able to go to the website, sign-in normally, and navigate through your account settings and their help menus without having to start the process in the email that was sent.
  • Disable Macros in Microsoft Office: Many phishing attacks involving attachments work by leveraging an exploit of Microsoft Office’s macro function. If Office Macros are not part of your workflow, then you will be more secure if you disable that feature. Visit Microsoft’s Office Support documentation for the full instructions.

Every few months, it is a good idea to revisit these three core areas:

  • App & System Updates
  • Accounts & Passwords
  • Email Habits

Consult with a professional to develop a process to make sure that you and your organization are always protected.