Sometimes we are asked whether Sporty provides 2FA (two factor authentication) or MFA (multi-factor authentication) for accessing the platform.
What is 2FA and MFA?
Most online services use a username/password combination for logging in. This traditional method of user access control works well, especially when the service provider has taken steps to prevent brute force attacks (where an attacker automatically tries millions of username/password combinations in the hope of finding one that works).
However, sometimes a username/password combination is compromised because poor security behaviour by the user. For example, (a) a user might choose a weak password (such as "1234" or the word "password") or (b) the user might use the same username/password combination for multiple sites and one of those other sites might fail to encrypt username/password combinations and therefore these could be exposed if that site was subsequently breached.
To help protect people whose username/password combination is insecure, some online services add an extra layer of security before users can login. This is sometimes called "Two-Step Verification" or "Two-Factor Authentication" or "Multifactor Authentication". In these instances, when you sign in for the first time on a new device or app (like a web browser) you need more than just a username and password. You need a second verification method or "factor" to prove who you are.
Each "factor" is one way of confirming your identity when you sign in. For example, a password is one type of factor, being a thing that you know. The three most common kinds of factors are:
- Something you know - Like a password or a PIN.
- Something you have - Like a phone, or a secure USB key (dongle).
- Something you are - Like a fingerprint, or facial recognition.
Some services require users to have a second factor of identification to protect people who choose weak passwords or happen to use the same username/password combination on another site whose security was breached.
Why doesn't every website require 2FA or MFA?
The main reasons that most sites still prefer not to require 2FA or MFA are:
- Dependency on devices: if you happen to not have access to your second factor (like your phone) at the time you need it, you'll be unable to login. This is frustrating, especially for educated users who practice good security behaviour by using strong passwords and not reusing passwords.
- Potential for exploitation: some methods used as a second factor, like SMS messaging, can be vulnerable to interception or SIM swapping.
- Implementation costs: setting up and maintaining 2FA/MFA systems can be costly and require ongoing management.
- Increased login time and complexity: the extra step can make the login process longer and sometimes inconvenient, especially when the user just wants to perform a quick task.
Most service providers weigh and balance the cost and inconvenience of 2FA/MFA compared with the risk of what an unauthorised user could see or do once logged in. They also consider how educated the authorised users are likely to be in relation to security. If authorised users follow good security practices and the site is built to prevent brute force attacks (for example, by limiting the number of login attempts), then 2FA/MFA is often deemed to introduce unnecessary inconvenience and expense.
What is Sporty's position on 2FA/MFA?
Users that have a login to view and interact with data in the Sporty platform are a relatively small number of known administrators. Our preference is that these people follow good security behaviour by using strong passwords and not reusing the same username/password combination for other sites. Sporty encrypts username/password combinations so that in the unlikely event the platform is ever breached, Sporty will not be exposing these credentials in a way that can be used to access other sites.
In over 15 years of service to administrators for thousands of organisations, we are unaware of a single instance of the Sporty platform having been accessed by an unauthorised person using the username/password combination of a legitimate user. Therefore, our current position is that the cost and inconvenience of 2FA/MFA is not justified.
However, if any of our clients have their own strict policy that demands 2FA/MFA, then we can implement this at the expense of the client. If your organisation requires 2FA/MFA and you are prepared to pay for this extra layer of security, please ask us for pricing to develop/implement this for you.