In 2014, there were so many major data breaches that it’s barely even news when millions of customer profiles are compromised. It’s easy to think that hackers will find a way to break into our systems no matter what we do. But you might be surprised to find that one simple precaution could protect you from hackers—two-factor authentication.
A recent article in PCWorld warned that companies are setting themselves up for a hack if they don’t take advantage of two-factor authentication.
“While people may claim that the attackers in these breaches are advanced, sophisticated, or state-sponsored, their actual execution is quite simple in nature,” Jon Oberheide, co-founder and CTO of Duo Security, said in the article. “Simple phishing and other credential theft attacks have not only been the initial entry vector to these companies, but also how attackers move laterally within an organization to reach their eventual target."
The Benefits of Two-Factors
There are usually three ways to prove someone’s identity:
Something you know, like a password
Something you have, like a cell phone
Something you are, like your fingerprint
Usernames and passwords are the most common way to authenticate a person, or to prove they are who they say they are. Even though this method uses two pieces of information, it’s considered single-factor authentication because both the username and password are things you know.
A person’s username is usually fairly easy to guess, and passwords are increasingly easy to crack or steal. In fact, hackers often get access to usernames and passwords through phishing attacks. High-profile breaches like those at Target, Home Depot and Sony started with a simple intrusion.
“Had those organizations used two-factor authentication, and also required something you have or something you are, the attackers wouldn’t have been able to do much with the username and password,” Tony Bradley, principal analyst with the Bradley Strategy Group, said in a recent PCWorld article. “However, two-factor authentication alone is not enough. It has to be properly implemented two-factor authentication.”
Two-Factor Use Remains Limited
Many companies already use multi-factor authentication, but they only use it for key users or servers. But hackers only need one server that’s not protected by multi-factor authentication to gain access.
“It’s like locking every door and window in your house except for one, and hoping a burglar isn’t thorough enough to find the one unlocked entrance,” Bradley said. “It’s only a matter of time until a username and password is compromised, but as long as the attacker doesn’t also have the mobile phone or fingerprint that goes with those credentials, the data will still be safe.”
Bradley goes on to recommend that all companies and individuals use two or more factors of authentication everywhere possible.