Home / Blogs

Passwords Are Not Enough: Without Two Factor Authentication Your Business Is At Risk

Evan Daniels

Passwords are no longer sufficient to maintain an adequate level of security for business critical infrastructure and services. Two-factor authentication should be considered the minimum acceptable level of access control.

There have been two types of security stories in the technology news over the last few months that should be of particular concern to system administrators and those responsible for maintaining business network infrastructure.

1. Brute Force Attacks

It's unfortunately a fact of life that people tend to be very bad at choosing and managing secure passwords. This applies less to technically adept system administrators — although they are not immune — , but most other people, including management and others with reason to access network infrastructure and business critical services often don't have sufficient training in basic password hygiene techniques.

When a hacker decides to try a brute force dictionary attack against a business' servers or their email, social media, or third-party infrastructure service provider accounts they are likely to find at least one weak account, and that's often all that's needed to establish a beachhead.

2. Stolen Password Databases

If password databases are properly hashed and salted, it's unlikely that all but the most determined hackers are going to be able to extract usable information for them. Sadly, that's frequently not the case, and password cracking technology has reached the level where inadequately hashed passwords can be fairly easily retrieved in a practical amount of time.

Your business may lose its password database to criminals at some point, but more worrying is the likelihood that employees have used the same identifying information on third party services like forums, which, when their poorly protected password databases fall into the hands of hackers, can be used against your business.

Even if employees haven't used their business accounts improperly, if their personal email falls into the hands of hackers, and they have used it as a secondary address for their business accounts, then it's trivial for the hackers to reset the passwords on the business accounts.

Passwords Are Inadequate

Passwords are too dependent on the level of technical expertise of their users and as technology advances are no longer sufficiently difficult to crack. Two-factor authentication should be implemented on all business critical infrastructure and services.

Two Factor Authentication

Passwords alone are one authentication factor. They are commonly described as something you know. Additional factors can be something you have and something you are. We're not concerned with the latter here, biometric authentication can be very secure, but it can also be complicated to implement.

Instead, we'll focus on something you have as a second factor. If you're a user of Google's services, you may be familiar with their Authenticator app, which is installed on mobile devices and provides a one-time code with a limited lifespan as a second factor of authentication.

Two-factor authentication is much more secure than using passwords on their own, and provides a considerable amount of protection against both brute force attacks and poor password hygiene. There is a small cost in convenience, but compared to the potential losses of trust, data, and business continuity that a security breach can incur, the inconvenience is trivial.

Two Factor Authentication and DNS

DNS is one of the most important parts of the infrastructure of any site or online service. If it isn't secure, hackers could knock a site offline completely or redirect visitors to sites that will infect them with malware. To avoid the embarrassment and loss of reputation and revenue that an attack target against a company's DNS accounts can cause, a DNS hosting service that allows two-factor authentication should be used to verify the identity of those who need access.

By Evan Daniels. More blog posts from Evan Daniels can also be read here.

Related topics: Cybersecurity, DNS

 
   

Don't miss a thing – get the Weekly Wrap delivered to your inbox.

Comments

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Dig Deeper

Afilias Mobile & Web Services

Mobile Internet

Sponsored by Afilias Mobile & Web Services
Afilias

DNS Security

Sponsored by Afilias
Verisign

Cybersecurity

Sponsored by Verisign

Promoted Posts

Now Is the Time for .eco

.eco launches globally at 16:00 UTC on April 25, 2017, when domains will be available on a first-come, first-serve basis. .eco is for businesses, non-profits and people committed to positive change for the planet. See list of registrars offering .eco more»

Industry Updates – Sponsored Posts

Verisign Named to the Online Trust Alliance's 2017 Audit and Honor Roll

Attacks Decrease by 23 Precent in 1st Quarter While Peak Attack Sizes Increase: DDoS Trends Report

Leading Internet Associations Strengthen Cooperation

Global Domain Name Registrations Reach 329.3 Million, 2.3 Million Growth in Last Quarter of 2016

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Neustar to be Acquired by Private Investment Group Led by Golden Gate Capital

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

Government Guidance for Email Authentication Has Arrived in USA and UK

ValiMail Raises $12M for Its Email Authentication Service

Don't Gamble With Your DNS

Defending Against Layer 7 DDoS Attacks

Understanding the Risks of the Dark Web

New TLD? Make Sure It's Secure

Verisign Releases Q2 2016 DDoS Trends Report - Layer 7 DDoS Attacks a Growing Trend

How Savvy DDoS Attackers Are Using DNSSEC Against Us

Radix Adds Dyn as a DNS Service Provider

Facilitating a Trusted Web Space for Financial Service Professionals

MarkMonitor Partners with CYREN to Deepen Visibility into Global Phishing Attacks

Verisign Named to the Online Trust Alliance's 2016 Honor Roll