In January, the New York Times published a column entitled, “Two-Factor Authentication Might Not Keep You Safe.” The author presented examples where hackers investigated by Amnesty International had overcome two-factor authentication. They created sites not only to steal usernames and passwords, but additional sites to capture the second authentication codes.
Two-factor authentication requires that when you sign on, you supply not only your username and password but more evidence of your identity. It can, for example, be a code sent to your phone or generated by an app. Nobody without your phone can get the code. If you then type the code into a phony site, however, you can get hacked.
In this age of tl;dr (too long, didn’t read), some people may miss a comment near the end of the article. It says, “As long as it significantly decreases the likelihood of account compromises, two-factor authentication is still worth using.” We agree. In fact, we recommend that if you haven’t got two-factor, or multi-factor, authentication (MFA), you get it now.
The examples in the article require elaborate efforts on the part of hackers. They will have to manage the site collecting passcodes virtually constantly. A lot of two-factor authentication systems have their codes expire in a short period. A lot of sites log you out if you don’t show activity. These precautions should stop some automated hacks.
We think that hackers will expend this degree of effort only on high-reward targets. Most of us don’t have those kind of sites. Meanwhile, MFA will keep out a lot of less enterprising criminals.
Two-factor authentication could be free
We particularly recommend adoption if you are one of those fortunate organizations that gets MFA free with your Office 365 suite. As more applications move to the cloud, credential theft will increasingly be the method of choice for getting into otherwise very well-protected sites.
In addition to using MFA, you should train your users about how to protect their credentials. Focus on everything from not sharing passwords, strong passwords, recognizing phishing attempts, and using a password manager.