Lindsey M. Donato, CISA, PMP
As the internet becomes an increasingly popular place for cybercriminals to steal personal information and commit fraud, a simple login with username and password is no longer enough. Single-factor authentications (logins) that require only username and password are making it easier for cybercriminals to gain access to user’s private information (financials and personal data) which the criminal then uses to commit fraudulent acts. This is where two-step verification and authentication comes in as an added protection.
What is Two-Step Verification?
Two Step Verification or Authentication, abbreviated 2FA or TFA, is also referred to as “multi-factor authentication.” When used, it requires a two-step verification process beyond the username and password. This requirement is something that is unique to the user and that only they have, whether it be a piece of information or a tangible item, like a physical token. This extra login “layer” makes it much more difficult for criminals to obtain the user’s personal information. Keep in mind, today’s cybercriminals are going after the “easy targets” and simple scams, so having this added step in itself helps disinterest the cybercriminal.
Two-Step Verification generally works with two out of three types of user validation:
- What a user has (key card/fob)
- What a user knows (security code/pin/password)
- What a user is (fingerprint, voice recognition, biometrics)
To make this much easier and more convenient, some organizations are using mobile devices and SMS (text) technology to achieve two factor. Users are sent a unique code to their mobile device as the secondary authentication factor required to login. This alleviates the need for companies to order hardware tokens to distribute to employees.
So does this solve everything? Unfortunately, no. The problem now arising is that hackers are using the account “recovery” feature to break the two factor authentication function. Cybercriminals are now utilizing the “forgot my password” functionality to have a user’s account password reset. In general, in a password recovery function, a user is provided a temporary password to reset their account, and now the hacker has bypassed the two factor authentication mechanism.
Should Your Organization Implement Two-Step Verfication?
The answer is ABSOLUTELY yes. Simply, passwords are just not strong enough protection anymore. According to Heimdal Security stats, “90% of employee passwords can be cracked in six hours.” Cyber attackers have the power to test billions of password combinations in one second. Having a single password is not enough. For a hacker to obtain the second level of authentication, much more time and effort is required. And that might just be enough effort to disinterest the hacker from targeting your organization.
How BlumShapiro's Cybersecurity Team Can Help:
Could your organization be vulnerable to a cyber attack? What is your current exposure? How would your business continue to function in the event of a breach? Our cybersecurity experts can help you address the vulnerabilities and risks your organization faces against cyber security threats. Remember, the costs of developing a security strategy you feel confident about are minor compared to the potential financial and reputation risk if an attack or breach occurs. Learn more about our services >