UPDATED 16:08 EST / JULY 04 2013

NEWS

False State of Security: Two-factor Authentication

Everybody’s talking about two-factor authentication (2FA) nowadays. You hear that Twitter is implementing it, Google, Amazon Web Services, all the big names. That’s a good thing, and if better authentication can be implemented on these services, that means better security

It’s not the be-all end-all however. 2FA has some weaknesses that many people don’t realize. If you’re using this kind of protection for your organization, it pays to be aware of some of this.

If someone is trying to use an unknown or un-verified device or location to try and pretend to be an employee, 2FA has done its job. It certainly makes for one obstacle that will challenge a determined party.

The truth of it is that the statistics don’t jibe with this as the major threat. The major threat is the actual device, endpoint, laptop, wi-fi access point, smartphone, tablet – you name it. That’s how computer crime is actually happening – by successfully compromising company devices. That happens when software goes unpatched, anti-malware goes unmanaged, successful phishing attacks are executed, or any number of ways to get a Trojan or privileged access.

The legitimate device, with legitimate access is statistically the true threat as it could easily invalidate the notion of 2FA.

2FA has no effect on endpoint attacks because of the very fact that 2FA is satisfied that the device is legitimate. It has happened in case after case, in government contractor situations, where systems were compromised and authentication was of little consequence to the breach. It happens in financial environments where attacks are launched by Trojans within the actual banking system and fraud is committed.

The truth is your present-day hacker bears little reverence for 2FA protection. That just tells them you’re probably satisfied with your 2FA accomplishment.

That problem, this false state of trust – is everywhere. The threat is massive, and merely resting on the fact that you have 2FA in place is a recipe for disaster. The types of malicious threats always come back to the same fundamentals– stealing financial information, identity, credentials, company secrets, and so on. If successful that data typically hits the underworld of the internet, gets traded on IRC sites, secret FTP locations, Bit-Torrent, and so on. When you sort through forensics in response to data loss, you see this again and again.   User behavior, unpatched software, mobile device vectors – so many things where 2FA doesn’t factor in at all – yet the company has lost critical information.  To summarize, 2FA is just a piece of the puzzle.  Enterprise security strategy has to involve layers and a focus on data.  As a client of services, you should take some comfort that 2FA is out there, but there’s much more.

 


A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU