Home / Blogs

Passwords Are Not Enough: Without Two Factor Authentication Your Business Is At Risk

Evan Daniels

Passwords are no longer sufficient to maintain an adequate level of security for business critical infrastructure and services. Two-factor authentication should be considered the minimum acceptable level of access control.

There have been two types of security stories in the technology news over the last few months that should be of particular concern to system administrators and those responsible for maintaining business network infrastructure.

1. Brute Force Attacks

It's unfortunately a fact of life that people tend to be very bad at choosing and managing secure passwords. This applies less to technically adept system administrators — although they are not immune — , but most other people, including management and others with reason to access network infrastructure and business critical services often don't have sufficient training in basic password hygiene techniques.

When a hacker decides to try a brute force dictionary attack against a business' servers or their email, social media, or third-party infrastructure service provider accounts they are likely to find at least one weak account, and that's often all that's needed to establish a beachhead.

2. Stolen Password Databases

If password databases are properly hashed and salted, it's unlikely that all but the most determined hackers are going to be able to extract usable information for them. Sadly, that's frequently not the case, and password cracking technology has reached the level where inadequately hashed passwords can be fairly easily retrieved in a practical amount of time.

Your business may lose its password database to criminals at some point, but more worrying is the likelihood that employees have used the same identifying information on third party services like forums, which, when their poorly protected password databases fall into the hands of hackers, can be used against your business.

Even if employees haven't used their business accounts improperly, if their personal email falls into the hands of hackers, and they have used it as a secondary address for their business accounts, then it's trivial for the hackers to reset the passwords on the business accounts.

Passwords Are Inadequate

Passwords are too dependent on the level of technical expertise of their users and as technology advances are no longer sufficiently difficult to crack. Two-factor authentication should be implemented on all business critical infrastructure and services.

Two Factor Authentication

Passwords alone are one authentication factor. They are commonly described as something you know. Additional factors can be something you have and something you are. We're not concerned with the latter here, biometric authentication can be very secure, but it can also be complicated to implement.

Instead, we'll focus on something you have as a second factor. If you're a user of Google's services, you may be familiar with their Authenticator app, which is installed on mobile devices and provides a one-time code with a limited lifespan as a second factor of authentication.

Two-factor authentication is much more secure than using passwords on their own, and provides a considerable amount of protection against both brute force attacks and poor password hygiene. There is a small cost in convenience, but compared to the potential losses of trust, data, and business continuity that a security breach can incur, the inconvenience is trivial.

Two Factor Authentication and DNS

DNS is one of the most important parts of the infrastructure of any site or online service. If it isn't secure, hackers could knock a site offline completely or redirect visitors to sites that will infect them with malware. To avoid the embarrassment and loss of reputation and revenue that an attack target against a company's DNS accounts can cause, a DNS hosting service that allows two-factor authentication should be used to verify the identity of those who need access.

By Evan Daniels. More blog posts from Evan Daniels can also be read here.

Related topics: DNS, Security

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:


To post comments, please login or create an account.

Related Blogs

The Emotional Cost of Cybercrime

Why I Wrote 'Thinking Security'

Regulation and Reason

In Network Security Design, It's About the Users

RIPE 71 Meeting Report

Related News


Industry Updates – Sponsored Posts

Computerworld Names Afilias' Ram Mohan a Premier 100 Technology Leader

Verisign Mitigates More Attack Activity in Q3 2015 Than Any Other Quarter During Last Two Years

Protect Your Privacy - Opt Out of Public DNS Data Collection

Verisign & Forrester Webinar: Defending Against Cyber Threats in Complex Hybrid-Cloud Environments

Measuring DNS Performance for the User Experience

Introducing Verisign Public DNS: A Free Recursive DNS Service That Respects Your Privacy

Faster DDoS Mitigation - Introducing Verisign OpenHybrid Customer Activated Mitigation

Internet Grows to 296 Million Domain Names in Q2 2015

Verisign's Q2'15 DDoS Trends: DDoS for Bitcoin Increasingly Targets Financial Industry

Protect Your Network From BYOD Malware Threats With The Verisign DNS Firewall

Announcing Verisign IntelGraph: Unprecedented Context for Cybersecurity Intelligence

Introducing the Verisign DNS Firewall

TLD Security, Spec 11 and Business Implications

Verisign Named to the Online Trust Alliance's 2015 Honor Roll

3 Key Steps for SMBs to Protect Their Website and Critical Internet Services

Key Considerations for Selecting a Managed DNS Provider

Verisign Mitigates More DDoS Attacks in Q1 2015 than Any Quarter in 2014

Verisign OpenHybrid for Corero and Amazon Web Services Now Available

Afilias Supports the CrypTech Project - Ambitious Hardware Encryption Effort to Protect User Privacy

Public Sector Experiences Largest Increase in DDoS Attacks (Verisign's Q4 2014 DDoS Trends)

Sponsored Topics