What is two-factor authentication and how can you create and maintain strong passwords?
With so much of our lives now reliant on digital technology, our digital accounts have become a prime target for criminals such as hackers and scammers. While account security, passwords and two-factor authentication (2FA) might not seem like the most exciting subject, it‘s something all organizations should take seriously.
This article explains what two-factor authentication is and why you really should be using it to improve your security. We’ve also included some bonus tips and advice on how you can create strong passwords that criminals will struggle to hack.
Table of contents
What is two-factor authentication (2FA)?
Two-factor authentication (2FA) is an extra layer of security created to protect online accounts beyond the standard username and password method. Users must present two or more pieces of verification (e.g. your password plus at least one more factor) to prove your identity and gain access. It’s also sometimes referred to as 2-step verification or a two factor password.
There are many forms of authentication used in 2FA. Common second factor authentication methods for 2FA include:
Having an SMS text message with a verification link or security key sent to your mobile device’s phone number
Receiving a time-sensitive verification code/security code/QR code/one-time password (OTP) to your email address (a 2FA email)
Receiving a voice call on your mobile phone (the phone call confirms it’s you trying to log in)
Receiving a push notification on your iOS/android mobile device when there’s a login attempt on a new device (or from an unfamiliar location)
Biometric authentication (e.g. fingerprint recognition to unlock an iPhone device)
These two-step verification methods are possible thanks to authenticator apps such as Google Authenticator, Microsoft Authenticator and Authy, as well as in-house technology built by companies such as Apple.
Sensitive accounts that should employ multi-factor authentication methods include:
Email service provider accounts (e.g. Gmail and Outlook)
Mobile apps on iPhone, Windows or Android devices
Web browser accounts (e.g. your Google account on Chrome)
Social media profiles (e.g. Facebook, Twitter and LinkedIn)
Online payment accounts or ecommerce sites (e.g. Amazon and PayPal)
Online banking accounts
On Pipedrive, 2FA is an optional (but strongly recommended) method of confirming your authorized account user‘s identity by combining two distinct, unlinked factors to provide additional security. Those factors are:
Something the user knows (a strong password)
Something the user physically has (a laptop, smartphone, etc.)
Using a single-layer data authentication protocol such as a username and password on its own is practical, but it’s often not secure enough. We’ll explain why passwords alone are insecure later in this article.
Once you’ve enabled 2FA, you’ll be sent a verification link to your email address when you try to log in to Pipedrive. You’re then able to see where in the world the login request is coming from so you can confirm it was you or whether a hacking attempt has been made.
This way, even if hackers crack your password, they still won’t be able to access your Pipedrive account and cause you any lasting damage. If you don’t recognize the login attempt and it’s not from one of your trusted devices, all it takes to secure account recovery is a simple password reset and you’re back in control.
Even with all of these extra steps and protection, is 2FA really secure? Unfortunately, as hacking methods become more advanced, nothing can provide 100% protection. However, 2FA does offer far better protection than a simple username and passcode.
Why should you use 2FA?
You might think your email account password is unbreakable, but no matter how complex a password is, it’s never strong enough on its own to fully protect against account takeover (ATO). One phishing email or successful database attack and you could expose yourself and be vulnerable.
Statistically speaking, a damaging attack that exposes your password(s) is unlikely, but by enabling two-factor authentication and allowing 2FA on emails so that authentication codes can be sent to you, you’ll be reducing the risk.
ATO is a rapidly-expanding problem that costs companies billions of dollars worldwide, not to mention the often unquantifiable (but equally significant) losses caused by inevitable reputational and brand damage.
Having your Pipedrive account hacked might not result in any direct monetary losses, but it could result in lost time and resources spent trying to locate the source of the ATO and trying to prevent it again. You’ll have to clean up the mess, inform customers who may have received confusing or reputational-damaging emails from your account, and deal with any associated fall-out.
For the same reasons, your business should also employ 2FA security on your website. If hackers get into a customer’s account and make purchases without their consent, it could cost your team time and money as you investigate what happened and offer the appropriate refunds.
Such attacks can be devastating to consumers. Stolen credentials can lead to identity theft, such as criminals acquiring credit cards in the customer’s name, resulting in big shopping sprees that can damage credit scores.
According to the Verizon 2021 Data Breach Investigations Report (DBIR) organizations that did not leverage 2FA or virtual private networks (VPNs) in 2020 represented a significant percentage of victims targeted during the pandemic.
How do I enable Pipedrive‘s two-factor authentication?
2FA is available to all our customers.
It‘s easy to set up two-factor authentication on Pipedrive: Here’s our guide to setting up 2FA.
How to create and maintain strong passwords
While two-factor authentication (2FA) provides an additional layer of security, strong passwords are also important in keeping your online accounts and personal information safe from cybercriminals.
The stronger the password, the more secure your online accounts and associated data asset(s). It makes good business sense to do everything in your power to protect your most valuable asset.
How to create a strong password
To create a strong password, follow these steps:
Make sure your password is long enough (12 characters minimum, preferably more)
Use a combination of numbers, symbols, upper- and lower-case letters
Make it as random and unpredictable as possible
Create a password that you’ll actually remember (while still following the advice in the previous step)
Test your password to make sure everything works
To test the strength of your existing or proposed new passwords you can use one of the many free online checkers.
How to maintain good password hygiene
What is password hygiene and why is it important?
Put simply, password hygiene is a term to describe the steps you should take to keep your password as healthy and secure as possible. A few key steps are:
Don’t share your passwords with anyone or write them down.
Use a free Password Manager app to store and protect your passwords (such as LastPass or Keeper)
Try not to use the same password for all your accounts. It’s a tall order as the number of different accounts we have continues to grow, but if you must duplicate passwords, at least make sure they’re as strong as possible
Don’t log in on unsecured WiFi networks. If you’re not confident in the internet connection you should change your password afterward.
Change your password when necessary. You should consider changing your password after a security breach, after logging in on a shared or public computer and after temporarily sharing access with someone else.
Why are passwords on their own so insecure?
Here are a few key reasons why passwords are so insecure:
People choose really weak passwords
People share passwords with others and write them down
People use the same password for multiple accounts
Passwords aren’t changed as frequently as they should be
Businesses keep departed employees’ accounts active long after they have left an organization
An alarming statistic from Verizon‘s 2021 Data Breach Investigations Report (DBIR) was that weak or stolen passwords are responsible for 61% of hacking-related breaches.
Take note: A hacker can crack a simple password in a matter of seconds, just by using a free password hacker tool (yes, such tools actually exist). Therefore, it really pays to spend a few extra minutes ensuring you don’t end up part of that statistic anytime soon.
Final thoughts
We can now answer two very straightforward questions:
Is a strong password necessary? Yes.
Is two-factor authentication (2FA) necessary? Yes.
You should be taking these three steps to make your Pipedrive account as secure as humanly possible:
Create a strong password
Maintain good password hygiene
Enable two-factor authentication (2FA)
If you’ve taken these three steps then you’ve done everything you can. By taking good care of your account security, you’re also taking good care of your customers.
As mentioned, account security, passwords and two-factor authentication (2FA) isn’t a topic that will ever get your pulse racing unless criminals hack your account – something that no one wants to experience.
