If you're like most organizations that we work with, website security is a high priority. Having your website hacked can ruin your day and result in hours or days of recovery not to mention significant costs in the event of a data breach. Since we work with lots of organizations that manage sensitive data like financial institutions, government, manufacturing and healthcare this is a common concern that we address.
Our focus on security is one of the reasons we build our clients' websites on Accrisoft Freedom. While Freedom is PCI compliant and very secure by default, there is another layer of security that many of our clients love to utilize: 2-step verification.
You may be familiar with 2-step verification if you've set up your email or any of your social media accounts to send you a special code via text message that you need to use to complete the login process. Or if you're a gamer, you may be familiar with Blizzard's 2-step authentication system which is app-based.
2-step verification adds an excellent layer of security to your website because it ensures that even if someone gains access to your username and password, they still cannot log in unless they get access to your mobile phone (which ideally is already protected with a PIN). This makes it extremely unlikely that a potential intruder would be successful at gaining access to your website CMS.
So how does 2-step verification on your Accrisoft Freedom website? Here are the steps. This assumes you are a SpinWeb client. If you're not a client (yet) give us a call anyway if you have questions.
1. Contact Our Support Team to Request 2-step Verification
The first thing you'll need to do is contact us to request that we enable 2-step verification for your website (we may need to upgrade your CMS license first). We will then activate this feature and send out a unique email to all of your website administrators that will give them next steps for logging in.
2. Download the Google Authenticator App
In order to use 2-step verification, you will need to install an app on your phone. There are versions for iPhone (or any iOS device) and Android:
This app generates the unique code that you will need to log into your website each time.
3. Scan the QR Code You Receive in Your Activation Email
Once you download the Google Authenticator App, you will need to use it to scan the QR code that you received in your activation email. This option will say something like "scan barcode" in the app user interface. Once you scan the QR code, the app will activate a profile for your user account on your website.
Once this step is complete, you'll notice that the app will create a unique 6-digit code and refresh it every 30 seconds. This is the code that you will use each time to log into your website.
Be sure you delete the email containing the QR code after you set up the app.
4. Log Into Your Website and Change Your Password
You will be asked to change your password the first time you log in after activating 2-step verification. You'll enter your current password first and then choose a new password to enter in the next two fields to confirm it.
5. Log Into Your Website Using 2-step Verification
Now you're all set to use 2-step verification. When you log into your website you will now notice that instead of two fields (username and password) you now have three fields: Username, Password and Google Authenticator Code. Your username and password go in as usual. Your Google Authentication code is the code that the app displays.
When you open the app, you will see that it shows a 6-digit code with a small timer. The timer resets every 30 seconds and displays a new code when it resets. You will need to enter the code you see in the app to complete the login process. If the timer is about to reset, you will want to wait a few seconds for the new code to give you time to log in.
Now your website is secured with 2-step verification. As you can see, if someone wanted to gain access to your website via the CMS, they would need to know your username, your password and also have access to your phone. To ensure optimal security, you should also set a security PIN for unlocking your phone (that's already part of our security policy here at SpinWeb).
2-step verification does take some getting used to so it may cause a little bit of confusion for website managers at first, but we recommend implementing it for any website that manages sensitive data. It will give you peace of mind and ensure that your website is as secure as possible.