Our article Your Nfield login’s value on the dark web explains why access to your Nfield account is such a tempting prize for hackers. The good news is you can make it almost impossible for them to get in by deploying two-factor authentication. Adding this extra security layer to your username and password login makes your Nfield account more than 99.9% less likely to be compromised, according to research by Alex Weinert, Group Program Manager for Identity Security and Protection at Microsoft1.
This article explains the concept of two-factor authentication (2FA) and its benefits, as well as giving instructions for setting it up and rolling it out in your organization.
How two-factor authentication (2FA) works
You’re probably already familiar with using two-factor authentication to access things such as bank, social media (Facebook, LinkedIn, Instagram) and email accounts. 2FA adds to the first factor – your email address/username and password combination – by asking for a code which can only be obtained via a physical object you have in your possession. This might be a key-like token, an office access card or an SMS message received on your mobile phone. Very highly secured systems may even require a third factor, such as a fingerprint or iris scan.
Nfield accounts secured with two-factor authentication require users to enter a code (a token) generated by a standard authenticator app on a mobile phone. This has the effect of complementing something you know (your username and password) with a code obtained through something you have (your phone). It effectively blocks any hackers who have obtained your username and password from getting into your Nfield account, as they would not be able to retrieve the second factor code from the phone. Your valuable Nfield fieldwork and respondent data is thereby protected from prying eyes.
Data security compliance
Different companies have different policies for protecting different types of data. Even if your organization doesn’t require two-factor authentication, your client’s organization might. Having it set up on your Nfield account means you’ll be compliant with every policy or project requirement.
Two-factor authentication in relation to GDPR, ISO 27001 and ISO 27002
- The General Data Protection Regulation (GDPR) states appropriate data security as being a mandatory requirement. However, it is up to individual organizations to determine how they should achieve this. As an example, the Dutch Data Protection Authority (Dutch DPA) is responsible for a hospital patient portal in which medical data is stored. GDPR2 considers this as sensitive personal data. The Dutch DPA has opted to deploy two-factor authentication to satisfy the requirement for appropriate data security.
- ISO 27001 only states that access control should require secret information, such as a password, as a means of authentication3. However, ISO 27002 advises a tighter level of control and recommends using two-factor authentication for a number of scenarios. These scenarios include Nfield, as it falls within the categories A.9.4.2 (secure log-on procedures) and A9.4.4 (use of privileged utility program).
With compliance and IT policies regularly being updated to fend off new security threats, it’s probably only a matter of time before two-factor authentication becomes a standard requirement.
2 https://www.zivver.com/blog/which-type-of-2fa-do-i-need-to-use-under-the-gdpr
3 https://advisera.com/27001academy/blog/2017/01/16/how-two-factor-authentication-enables-compliance-with-iso-27001-access-controls/
Enabling two-factor authentication in Nfield
Enabling this feature across an Nfield domain can only be done by domain administrators or local domain managers. The instruction to enable is located in the password policy page in the domain settings.
After enabling two-factor authentication, follow the on-screen instructions for setting up two-factor configuration. You’ll need to start by selecting and setting up an authenticator app, such as Microsoft Authenticator, Google Authenticator or others. Next, use the app to scan the QR code provided by Nfield. Once all is correctly configured, the app will provide a code which needs to be entered into Nfield to complete the two-factor authentication. It is as simple as that! Every time you log in to Nfield, you go through the same process, getting a new code each time.
Two-factor authentication will become effective across your Nfield domain within 30 minutes of being enabled. Any logged-in users will get the same prompt asked them to complete their configuration setup. Other users will get this prompt when they try to log in. Using public API (https://www.nipo.com/api-what-researchers-need-to-know) is excepted from using two-factor authentication.
Timing your 2FA roll-out
To minimize disruption to your team, please plan this carefully. We recommend you consider the following:
- read and share this article.
- communicate with your team about why 2FA is necessary and what to expect.
- best practice is to use the authenticator via a phone, not via a PC. The second factor is far more secure when coming from a different source. A two-factor authenticator installed on a PC browser is vulnerable to hackers, as they can get hold of it when hacking into your PC.
- find a good time to enable your 2FA. Doing this at the start or end of the day may be best, so setting up the two-factor configuration doesn’t disrupt other tasks. Also, try to avoid days on which your users are likely to be especially busy. It’s a very good idea to plan it for during our Amsterdam helpdesk office hour 9 AM – 6 PM (GMT+1), so we can help you out of necessary. If necessary, our team can also disable the two-factor authentication on your domain.
- Enabling 2FA in Nfield won’t apply it to Single-Sign-On login. You should consult your IT department about adding 2FA to Single-Sign-On accounts.
- Set the password of the system default login “DA” to very strong and keep it in a secured place.
Whether or not you feel you need it right now, we highly recommend enabling two-factor authentication for your Nfield domain, to enjoy better security protection and gain more benefits from Nfield. If you have any questions, please contact our helpdesk. And, of course, we’re always curious to get your feedback via your account manager.
