Home / Blogs

Passwords Are Not Enough: Without Two Factor Authentication Your Business Is At Risk

Don't miss a thing – sign up for CircleID Weekly Wrap newsletter delivered to your inbox once a week.
Evan Daniels

Passwords are no longer sufficient to maintain an adequate level of security for business critical infrastructure and services. Two-factor authentication should be considered the minimum acceptable level of access control.

There have been two types of security stories in the technology news over the last few months that should be of particular concern to system administrators and those responsible for maintaining business network infrastructure.

1. Brute Force Attacks

It's unfortunately a fact of life that people tend to be very bad at choosing and managing secure passwords. This applies less to technically adept system administrators — although they are not immune — , but most other people, including management and others with reason to access network infrastructure and business critical services often don't have sufficient training in basic password hygiene techniques.

When a hacker decides to try a brute force dictionary attack against a business' servers or their email, social media, or third-party infrastructure service provider accounts they are likely to find at least one weak account, and that's often all that's needed to establish a beachhead.

2. Stolen Password Databases

If password databases are properly hashed and salted, it's unlikely that all but the most determined hackers are going to be able to extract usable information for them. Sadly, that's frequently not the case, and password cracking technology has reached the level where inadequately hashed passwords can be fairly easily retrieved in a practical amount of time.

Your business may lose its password database to criminals at some point, but more worrying is the likelihood that employees have used the same identifying information on third party services like forums, which, when their poorly protected password databases fall into the hands of hackers, can be used against your business.

Even if employees haven't used their business accounts improperly, if their personal email falls into the hands of hackers, and they have used it as a secondary address for their business accounts, then it's trivial for the hackers to reset the passwords on the business accounts.

Passwords Are Inadequate

Passwords are too dependent on the level of technical expertise of their users and as technology advances are no longer sufficiently difficult to crack. Two-factor authentication should be implemented on all business critical infrastructure and services.

Two Factor Authentication

Passwords alone are one authentication factor. They are commonly described as something you know. Additional factors can be something you have and something you are. We're not concerned with the latter here, biometric authentication can be very secure, but it can also be complicated to implement.

Instead, we'll focus on something you have as a second factor. If you're a user of Google's services, you may be familiar with their Authenticator app, which is installed on mobile devices and provides a one-time code with a limited lifespan as a second factor of authentication.

Two-factor authentication is much more secure than using passwords on their own, and provides a considerable amount of protection against both brute force attacks and poor password hygiene. There is a small cost in convenience, but compared to the potential losses of trust, data, and business continuity that a security breach can incur, the inconvenience is trivial.

Two Factor Authentication and DNS

DNS is one of the most important parts of the infrastructure of any site or online service. If it isn't secure, hackers could knock a site offline completely or redirect visitors to sites that will infect them with malware. To avoid the embarrassment and loss of reputation and revenue that an attack target against a company's DNS accounts can cause, a DNS hosting service that allows two-factor authentication should be used to verify the identity of those who need access.

By Evan Daniels. More blog posts from Evan Daniels can also be read here.

Related topics: DNS, Cybersecurity



To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Dig Deeper



Sponsored by Verisign
Afilias Mobile & Web Services

Mobile Internet

Sponsored by Afilias Mobile & Web Services

DNS Security

Sponsored by Afilias

Promoted Posts

Now Is the Time for .eco

.eco launches globally at 16:00 UTC on April 25, 2017, when domains will be available on a first-come, first-serve basis. .eco is for businesses, non-profits and people committed to positive change for the planet. See list of registrars offering .eco more»

Boston Ivy Gets Competitive With Its TLDs, Offers Registrars New Wholesale Pricing

With a mission to make its top-level domains available to the broadest market possible, Boston Ivy has permanently reduced its registration, renewal and transfer prices for .Broker, .Forex, .Markets and .Trading. more»

Industry Updates – Sponsored Posts

Leading Internet Associations Strengthen Cooperation

Global Domain Name Registrations Reach 329.3 Million, 2.3 Million Growth in Last Quarter of 2016

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Neustar to be Acquired by Private Investment Group Led by Golden Gate Capital

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

Government Guidance for Email Authentication Has Arrived in USA and UK

ValiMail Raises $12M for Its Email Authentication Service

Don't Gamble With Your DNS

Defending Against Layer 7 DDoS Attacks

Understanding the Risks of the Dark Web

New TLD? Make Sure It's Secure

Verisign Releases Q2 2016 DDoS Trends Report - Layer 7 DDoS Attacks a Growing Trend

How Savvy DDoS Attackers Are Using DNSSEC Against Us

Radix Adds Dyn as a DNS Service Provider

Facilitating a Trusted Web Space for Financial Service Professionals

MarkMonitor Partners with CYREN to Deepen Visibility into Global Phishing Attacks

Verisign Named to the Online Trust Alliance's 2016 Honor Roll

Dyn Partners with the Internet Systems Consortium to Host Global F-Root Nameservers

Verisign Q1 2016 DDoS Trends: Attack Activity Increases 111 Percent Year Over Year