Back to Blog

E-mail + Password is not enough - Use Two-factor authentication to be secure

     

We would like to proactively ensure that all ContractWorks customers are protected against unauthorized access to their data rooms. Our engineers have analysed User data across our entire system and, while use of 2-factor authentication (the code sent via SMS text on initial login) is high, we would like to further encourage Administrators to ensure it’s switched on for every user.

Security conscious companies will assume that everyone invited into their systems via e-mail will have had their password compromised at some point.

 

Here’s why:

 

  • Remembering a lot of long complex passwords is hard and (let’s be honest) annoying, so it’s common for people to have a password that they share across multiple applications.
  • If you follow the press you’ll be aware of security issues at companies such as Linkedin, MySpace and Adobe that have led to hundreds of millions of stolen passwords that have been decrypted and put up for sale on the black market.
  • It is the combination of these two elements that provides the biggest risk: Uncovering a single password to, for example, Linkedin may let the criminal into a range of applications that are far more sensitive and business critical because the user replicates the password in different systems.

By using 2-factor authentication for every user you make it virtually impossible for an intruder to gain access to your private information, even if they have the correct email address and password they still need the SMS text code from a valid cell phone. It’s a few seconds of extra effort that not everyone is always happy about, but it’s your data and your company that’s at risk from unauthorized access if 2-factor authentication isn’t switched on.

Making sure two-factor is switched on in ContractWorks:

 

  • When you invite a new user the option for 2-factor authentication is checked by default. You can turn it off but a warning will flag up. We strongly urge you to leave it checked.
  • To find out who has it turned on currently go to the Users tab and scan the “Two Factor?” column for “No".
  • To switch on for existing users, go to the individual User record by clicking on their name in the list of Users (under the Users/Roles tab). Check the box to turn on 2-factor authentication and they’ll be required to generate the text code next time they log in.
  • If you have any issues with 2-factor, such as expired cell phone numbers or issues receiving text messages please let us know. We can replace old phone numbers in the system for you and we’re actively looking for feedback regarding alternate methods of delivering codes in addition to the standard SMS text messages.
New Call-to-action