Everybody’s talking about two-factor authentication (2FA) nowadays. You hear that Twitter is implementing it, Google, Amazon Web Services, all the big names. That’s a good thing, and if better authentication can be implemented on these services, that means better security

It’s not the be-all end-all however. 2FA has some weaknesses that many people don’t realize. If you’re using this kind of protection for your organization, it pays to be aware of some of this.

If someone is trying to use an unknown or un-verified device or location to try and pretend to be an employee, 2FA has done its job. It certainly makes for one obstacle that will challenge a determined party.

The truth of it is that the statistics don’t jibe with this as the major threat. The major threat is the actual device, endpoint, laptop, wi-fi access point, smartphone, tablet – you name it. That’s how computer crime is actually happening – by successfully compromising company devices. That happens when software goes unpatched, anti-malware goes unmanaged, successful phishing attacks are executed, or any number of ways to get a Trojan or privileged access.

The legitimate device, with legitimate access is statistically the true threat as it could easily invalidate the notion of 2FA.

2FA has no effect on endpoint attacks because of the very fact that 2FA is satisfied that the device is legitimate. It has happened in case after case, in government contractor situations, where systems were compromised and authentication was of little consequence to the breach. It happens in financial environments where attacks are launched by Trojans within the actual banking system and fraud is committed.

The truth is your present-day hacker bears little reverence for 2FA protection. That just tells them you’re probably satisfied with your 2FA accomplishment.

That problem, this false state of trust – is everywhere. The threat is massive, and merely resting on the fact that you have 2FA in place is a recipe for disaster. The types of malicious threats always come back to the same fundamentals– stealing financial information, identity, credentials, company secrets, and so on. If successful that data typically hits the underworld of the internet, gets traded on IRC sites, secret FTP locations, Bit-Torrent, and so on. When you sort through forensics in response to data loss, you see this again and again.   User behavior, unpatched software, mobile device vectors – so many things where 2FA doesn’t factor in at all – yet the company has lost critical information.  To summarize, 2FA is just a piece of the puzzle.  Enterprise security strategy has to involve layers and a focus on data.  As a client of services, you should take some comfort that 2FA is out there, but there’s much more.