Updated 2025: Looking for a Business Associate Agreement? Download our FREE template.

Free BAA Download
Total HIPAA Logo

Why You Should Be Using Two-Factor Authentication

While strong, complex passwords are an effective first line of defense when securing business accounts and applications, they are not fool proof and can be compromised if a hacker gains access to company systems. Two-factor authentication (2FA), also known as multi-factor authentication, serves as an extra line of defense and complicates the login process by adding an additional form of identity verification.

Cybersecurity attacks and breaches of Protected Health Information (PHI) are increasing as the tools used by hackers become more and more sophisticated. Don’t let yourself or your clients become the next target. The solution? Implement two-factor authentication.

What is two-factor authentication?

If you’re new to the world of two-factor authentication, you might be wondering how it works. Basically, two-factor authentication adds an additional layer of security to online accounts. It requires an additional login credential (beyond username and password) to access an account. For example, an application will email an additional code to you, ask you verifying questions you have previously answered, or send a text to your mobile device. In short, it makes it even more difficult for information to land in the wrong hands, and adds another layer of security.

But choosing a method can be a bit daunting. There are many forms 2FA can take, from free or paid software programs to verification through text or email. To get you started, here are a few methods of 2FA we recommend considering, and some you may want to retire.  

Biometric authentication

Biometric authentication requires a user to verify that they are who they say they are via a physical characteristic — something like a fingerprint scan, or facial or voice recognition. For large organizations storing or accessing highly sensitive information, this is one of the most effective forms of 2FA. Because it is one of the most difficult to fake, biometric authentication gives your information a great chance at protection from bad actors.

Google Authenticator

Google authenticator is an easy, safe, and pretty painless option for many entities looking to implement two-factor authentication. This is a popular choice because many applications are compatible with Google Authenticator. If you’re already using Google systems, then integration will be even easier. Basically, all the user has to do is download the app and register the program they want to use. The application will generate a 6-digit code that can be input into applications to verify the user’s identity.

Zoho OneAuth

Zoho OneAuth is a comprehensive multi-factor authentication app that allows you to access all your necessary applications without compromising security. This application works similarly to Google Authenticator in that it generates a 6-digit code that the user inputs into the application.

Bluetooth or USB key

A bluetooth or USB key can be an effective physical safeguard against breaches of protected data. Rather than verifying the user’s identity through online authentication, this method requires the use of a physical security key which hackers cannot compromise through usual means. This form of authentication is recommended by the FIDO Alliance, an organization dedicated to promoting better authentication standards.

Text message verification

If downloading yet another mobile app sounds like something you or your employees would like to avoid, then text message verification may be a more suitable fit. It’s an option that utilizes an existing app, and can be easily implemented. The program will send a text to your mobile device with a one-time pin to input into the site. It’s simple and easy. However, there is a chance texts can be intercepted by bad actors. NIST does not recommend this as an authentication method. 

Email

Email verification is a simple, easily implemented form of two-factor authentication, since people often view their email accounts daily and tend to have easy access on mobile and/or desktop devices. This is, however, the least secure of the 2FA options. If your system is compromised, there is a chance hackers may have access to emails on the system which would make 2FA useless.

Backup codes

When you activate 2FA on your system, you have the option of downloading backup codes that you can use to access the system. It’s important to keep these codes in a safe place, in the event that your phone is lost or stolen. Otherwise, you won’t have access to the device that you would normally use for 2FA. These codes are like passwords, and need to be stored securely! They are best used only for emergency access. 

Making the choice

Whichever two-factor authentication method you choose, it should reflect the current state of your business, your security standards, and the ways in which your employees access and secure protected data. 

Discuss possible 2FA options with members of your compliance team or IT personnel. Whichever method you choose, be sure to enable it on all accounts, devices, and programs used in the course of business. Securing protected data should be a number one priority, and with two-factor authentication, that task is made easier and more effective.

Have you performed a Risk Assessment in the past year? Do you have updated HIPAA Policies and Procedures in place? Our HIPAA Prime™ program does all this and more! We create customized compliance documents and provide your staff with easy online training, ensuring compliance for your business.

Want to know more about how you can become HIPAA compliant?

Email us at info@totalhipaa.com to learn more about how we can help your organization become (and stay!) HIPAA compliant. Or, get started here.

Sharing is caring!

Documents

Looking for a Business Associate Agreement?

Download our free template to get started on your path toward HIPAA compliance.


Download Now

Want to stay informed?

Join our community, stay ahead of the curve on HIPAA compliance and receive free expert guidance.

State of HIPAA Compliance in 2025

Watch the recording of this webinar to learn more about how you can become and stay HIPAA compliant!

Document
Register for Webinar

Related Posts

Essential Guide to Email Authentication and Deliverability: How to Configure DMARC, SPF, and DKIM Records

Essential Guide to Email Authentication and Deliverability: How to Configure DMARC, SPF, and DKIM Records

Essential Guide to Email Authentication and Deliverability: How to Configure DMARC, SPF, and DKIM Records
*This process is technical and requires access to your Domain Name Server (DNS). It’s recommended to have an IT professional handle these configurations to avoid potential issues. If you proceed yourself, back up your current settings with screenshots or copies before making any changes.
Organizations rely heavily on email for marketing and communication, making it a prime target for malicious actors. Phishing, spoofing, and other email attacks can inflict significant financial and reputational damage. In response to this growing threat, email providers are tightening their security measures, and businesses that aren’t paying attention risk having their emails blocked.
A recent announcement from Microsoft, highlighted in their Tech Community blog, highlights that Outlook is implementing stricter requirements for high-volume senders to protect users from unwanted and potentially harmful messages. This move serves as a clear signal: email authentication is no longer optional – it’s required for all organizations, regardless of their sending volume.
The key to making sure your emails reach their intended recipients is all in the configuration and alignment of your Domain-based Message Authentication, Reporting and Conformance (DMARC), Sender Policy Framework (SPF), and DomainKeys Identified Mail (DKIM) records. These protocols verify an organization actually sent the emails and tells receiving servers your messages are legitimate and shouldn’t be sent to spam folders or blocked.
What makes SPF, DKIM, and DMARC so crucial?
SPF (Sender Policy Framework): This record lists the authorized mail servers permitted to send emails on your behalf. When your email server receives an email, it checks it and verifies if the sending server’s IP address matches the list in your SPF record. This helps prevent attackers from spoofing your domain using unauthorized servers.
DKIM (DomainKeys Identified Mail): DKIM adds a digital signature to your outgoing emails. This signature is cryptographically linked to your domain and verified by the receiving server using a public key published in your DNS records. DKIM ensures the integrity of the email content and confirms that it hasn’t been tampered with in transit.
DMARC (Domain-based Message Authentication, Reporting & Conformance): DMARC builds upon SPF and DKIM. It tells receiving servers what to do with emails that fail SPF and/or DKIM checks. You can set policies to “none” (monitor), “quarantine” (send to spam), or “reject” (block). DMARC also enables reporting, allowing you to gain valuable insights into who sends emails using your domain and identify potential spoofing attempts.
Microsoft’s Stance: A Wake-Up Call
The stricter requirements being implemented by Outlook for high-volume senders emphasize the need for organizations to set up and review their authentication protocols. While the current focus is on high-volume senders, it is clear: email providers are looking for authenticated mail. Failing to correctly set up your DMARC, SPF, and DKIM records will lead to deliverability issues of emails.
What Your Company Needs to Do Now:
Regardless of size or email volume, every company should take the following steps to make sure its email authentication is configured correctly. Here’s a checklist:
Audit Your Existing Records: Check for existing SPF, DKIM, and DMARC configurations. Are they accurate and up-to-date?
Implement Missing Records: If you are missing any of these records, add them immediately. *Consult with your IT team or email service provider for guidance.
Check Alignment: It’s crucial to make sure there is alignment between your SPF, DKIM, and DMARC records. This means that the domain used for SPF and the signing domain in DKIM should match the “From” address domain in your emails. DMARC relies on this alignment to function effectively.
Start with a Monitoring Policy: For DMARC, it’s often best to start with a “none” policy to monitor how your emails are being handled and identify any legitimate sending sources that might not be properly authenticated.
Gradually Enforce Stronger Policies: Once you clearly understand your email flows and have addressed any authentication issues, move gradually towards stronger DMARC policies like “quarantine” or “reject” to protect your domain from spoofing actively.
Regularly Review and Update: The email landscape is constantly changing. Regularly review and update your authentication records as needed, especially when changing your emails or third-party sending services.
The Benefits of Proper Email Authentication:
Properly configuring and aligning your DMARC, SPF, and DKIM records offers significant benefits:
Improved Email Deliverability: Your legitimate emails are more likely to reach the inbox, avoiding spam folders and blocks.
Enhanced Brand Reputation: Protecting your domain from spoofing builds trust with your recipients and safeguards your brand’s reputation.
Increased Security: You significantly reduce the risk of using your domain for phishing and other malicious activities.
Compliance with Evolving Standards: By staying ahead of the curve, you ensure your email practices align with the increasingly stringent requirements of email providers.
The message is clear: email authentication is no longer optional. The recent emphasis from major providers like Microsoft underscores its critical importance in maintaining reliable and secure email communication. By taking the steps to audit and align your DMARC, SPF, and DKIM records, your organization can protect itself, customers, and reputation. Don’t wait until your emails are blocked – act now to secure your email.
Have questions or need help with your HIPAA compliance? Schedule a call with our experts today. https://www.totalhipaa.com/get-started/
To check your DMARC Records go here
https://www.totalhipaa.com/dmarc-lookup-free/
All records, a free and easy tool to use
https://easydmarc.com/

Save & Share Cart
Your Shopping Cart will be saved and you'll be given a link. You, or anyone with the link, can use it to retrieve your Cart at any time.
Save Cart & Generate Link
Send Cart in an Email Done! close
Empty cart. Please add products before saving :)

Back Save & Share Cart
Your Shopping Cart will be saved with Product pictures and information, and Cart Totals. Then send it to yourself, or a friend, with a link to retrieve it at any time.
Send Cart Email
Your cart email sent successfully :)