The number of stolen usernames and passwords has exponentially increased in the past several years. To best protect your data, impact.com has implemented new authentication and login policies. Here’s what you need to know.
In this day and age, the average person uses close to 200 services requiring login credentials. It’s no wonder many of us default to the same password for multiple accounts. But this leaves you vulnerable to cybercriminals, who reportedly have access to 15 billion stolen credentials from over 100,000 hacked accounts.
If hackers get access to your information, your bank accounts, health records, company confidentials, you risk a host of other private information being stolen. Two-factor authentication (2FA) puts up a barrier between you and cyber thieves, making your data less enticing to steal.
That’s why impact.com has recently implemented a new requirement that all users use individual login credentials and 2FA. This change is mandatory by January 31, 2023.
We understand changes like this come with some frustrations. This new policy is the best way for us to protect your data. Below you’ll find answers to some common questions about our new login policy changes.
Why does everyone need login credentials?
Individual user credentials provide greater security and transparency in your account. For example:
- When each user has their own username and password, you can pinpoint which user took a particular action in your impact.com account.
- You can see who updated a contract or initiated a funds transfer with individual logins.
- Perhaps most importantly, you can ensure that former employees cannot continue to access your company’s account via shared login.
Individual user credentials also allow you to control account permissions on a per user basis, so users only have access to the areas of the product you want them to access. The impact.com platform allows unlimited user seats per account and 70-plus unique permissions so every team member can have the necessary access.
This policy aligns with the principle of “least privilege,” which dictates that users’ access rights are limited to what is strictly required for their jobs to protect your data. With impact.com’s permission settings, you can rest easy knowing your data is safe.
That’s great, but my team prefers shared logins. Why can’t we keep them?
Shared logins are incompatible with 2FA because the platform will prompt the first user to log in with shared credentials for 2FA. After the first user successfully logs in using 2FA, subsequent logins from a different device will trigger a 2FA prompt to the first user’s device.
We have our own internal user access controls and tools. Why aren’t those enough?
Individual user credentials and 2FA add a layer of security to your access controls. With separate access and 2FA, you can be confident that only the correct team members initiate contract changes, funds transfers, and other sensitive account actions.
Additional employee access controls like requiring a VPN or a password management tool for your employees do not protect against unauthorized access by individuals outside your organization. With individual user credentials and 2FA, we protect you from unauthorized access by individuals outside your organization.
Why is 2FA based on a phone number and not a work email address?
Two-factor authentication (2FA) relies on two principles: 1) something you know and 2) something you have. In this case, the “something you know” is your password and the “something you have” is your mobile device. By requiring both, we ensure that a compromised password is not enough to gain unauthorized access to your account.
If we only relied on a work email address, a bad actor could gain access to that email account and initiate email-based password resets across all platforms linked to that email account. They would then have access to all connected platforms. In the same scenario with 2FA, a bad actor could not gain access to linked platforms.
You may use personal mobile devices and numbers to fulfill principle two. If a user leaves the company and still has their device, they will no longer have access to an active username/password (principle one) and cannot access the account.
The phone number you use for 2FA is only used for 2FA by impact.com and is never shared.
Do I have to use a two-factor authentication code every time I log in?
No. The platform won’t prompt you to enter a two-factor authentication code when using a trusted device. To avoid this prompt, check the box marked “Remember this device” before you log in.
After you have successfully verified your account, you may use SMS codes, voice calls, or the Authy authenticator app to verify your account when logging in from a new device.
Other platforms and networks don’t require 2FA — why does impact.com require it?
Great question! To be honest, we’re not sure why they don’t. At impact.com, we find the security of the data and funds you have entrusted with us to be critically important. 2FA is an additional security measure enforced to help protect your account and is the global standard in industries like banking, fintech, and communications.
We appreciate you taking this critical action to ensure your account remains as secure as possible. Don’t hesitate to contact impact.com’s support team with questions by logging in to your account and clicking on the “Need Help?” button in the bottom right corner of your screen.
If you have a large team and need assistance adding extra users to your account, reach out to your account manager or our support team. We’re happy to help!
