As the internet becomes an increasingly popular place for cybercriminals to steal personal information and commit fraud, a simple login with username and password is no longer enough. Single-factor authentications (logins) that require only username and password are making it easier for cybercriminals to gain access to user’s private information (financials and personal data) which the criminal then uses to commit fraudulent acts. This is where two-step verification and authentication comes in as an added protection.
Two Step Verification or Authentication, abbreviated 2FA or TFA, is also referred to as “multi-factor authentication.” When used, it requires a two-step verification process beyond the username and password. This requirement is something that is unique to the user and that only they have, whether it be a piece of information or a tangible item, like a physical token. This extra login “layer” makes it much more difficult for criminals to obtain the user’s personal information. Keep in mind, today’s cybercriminals are going after the “easy targets” and simple scams, so having this added step in itself helps disinterest the cybercriminal.
To make this much easier and more convenient, some organizations are using mobile devices and SMS (text) technology to achieve two factor. Users are sent a unique code to their mobile device as the secondary authentication factor required to login. This alleviates the need for companies to order hardware tokens to distribute to employees.
So does this solve everything? Unfortunately, no. The problem now arising is that hackers are using the account “recovery” feature to break the two factor authentication function. Cybercriminals are now utilizing the “forgot my password” functionality to have a user’s account password reset. In general, in a password recovery function, a user is provided a temporary password to reset their account, and now the hacker has bypassed the two factor authentication mechanism.
The answer is ABSOLUTELY yes. Simply, passwords are just not strong enough protection anymore. According to Heimdal Security stats, “90% of employee passwords can be cracked in six hours.” Cyber attackers have the power to test billions of password combinations in one second. Having a single password is not enough. For a hacker to obtain the second level of authentication, much more time and effort is required. And that might just be enough effort to disinterest the hacker from targeting your organization.