The headlines for 2014 were full of incidents involving stolen credentials. One of the bigger headlines involved a Russian crime ring that amassed over 1.2 billion credentials involving more than 420,000 websites. Also this year, we have seen announcements from Apple, Google, eBay, and others all involving compromised credentials. It should come as no surprise that Verizon’s 2014 DBIR (Data Breach Investigations Report) concluded that weak or stolen credentials were involved in several known breaches. The lesson we should learn from this is simple; usernames and passwords alone are not good enough!
So how can you prevent a corporate security breach if your credentials are stolen? If your business deploys any form of authenticated remote access (VPNs, e-mail access, intranets, cloud access, etc.), two-factor authentication should be a requirement for those technologies. Two-factor authentication provides identification of users by two different components typically consisting of something the users knows, something the user is, or something the user possesses. Username and password combinations are considered to be something the user knows. This is where many organizations end their authentication requirements opening the door for stolen credentials being used to access corporate assets. Requiring another form of authentication greatly reduces risk associated with stolen credentials.
Several options exist to add another method of authentication to a corporation’s remote access requirements. Examples of what a user possesses includes tokens or smart phones while voice or fingerprints would be considered something the user is. Some options include upfront hardware and software costs while others are cloud based requiring minimal upfront investments but with recurring fees. If only a username and password separate your business from the world, two-factor authentication can reduce your risks.