Premise About 2-Factor Authentication
There is a lot of information available on how 2-factor authentication works, but much less about why it is a good idea. There are certain general truths about security practices, which apply across the board. Some of these can help when making the case for using 2FA.
- There is no such thing as perfect security in a complex system. It can be a goal that you move towards, but it is not something you can guarantee.
- Convenience is in direct opposition to best security practices.
- Security has very low negative feedback for behaviour.
In some cases, there is no 2-factor story for a service at all (I’m looking at you, Jira), where other approaches are still appropriate. This is by no means an exhaustive list. In talking about 2-factor authentication, I’m leaving other possible approaches in order to keep this post short.
It is almost guaranteed that the password you choose is going to be bad. This is because of how inconvenient it would be to do otherwise. Even if you inconvenience yourself with a “complex password” there’s a good chance that an attacker will be more dedicated to attacking your credentials than you are in creating them. This article on Ars Technica goes into a lot of detail about the specifics of how this works. It is a long read but argues the point well if you need more convincing.
Google is probably more secure than some WordPress-based blog. Unfortunately, by obtaining the credentials to one, an attacker can easily test a huge number of variations on the credentials he got from one against the other. Having 2FA enabled will stop this completely.
For convenience, users will often reuse a password across multiple sites. After all, keeping separate credentials for 10 different accounts is really hard! Most users are somewhere on the scale of, either having different but simple passwords or one complex password, which they re-use. Having “a clever scheme” to vary the passwords is most often not good enough either. If you’re not convinced, read the above Ars Technica article.
Malware present on end-user machines can steal credentials easily. This is particularly tied into point #3 above since most end-users assume they are not vulnerable. Applications running locally can read keyboard input, access the clipboard etc, etc. This can often be the case on mobile devices. This can sometimes be impossible to catch and can be exacerbated by other poor practices (such as disabling UAC on Windows). This is a very broad topic that I don’t want to dive into very deeply.
2-factor authentication can help with this, by acting as that second factor. Just like in cases above, however, services will often allow a user to “trust this device”. This will remove the inconvenience, but increase the risk.
Most often, the weakest link in the security chain is the end user. There is a multitude of documented cases, where attacking a secure system is not even required as the process can be completely bypassed. In this case, 2FA cannot do much to help. This can only be addressed with training.
Cost of Doing Nothing
This is where point #3 above becomes very relevant. The cost of a breach can be very hard to judge. In the case of personal accounts it could result in losing your photos, and generally having a really bad day. In the case of a business, this can sometimes lead to utter disaster. A small breach could re-enforce bad behaviour. It does this by giving the impression that this is a trivial occurrence and can be dealt with easily. The recent trend in high-profile attacks on sites such as Sony Entertainment, Ashley Madison, has produced the term “breach fatigue” which also negatively impacts end-user behaviour: “It must not be so bad since I haven’t been affected”.
This brings me back to point #1. Security is more of a journey, and a set of evolving best practices, rather than something you can apply and be safe. 2-factor authentication is just one tool in a large set, that can help in mitigating a large number of attack vectors. The cost of applying it is low, compared to the benefits it offers. Definitely recommended.
If you want to find out more about Greenfinch Technology our Home Page is the place to start.
For information about our services just use our contact form
give us a call at +353 (0)1 818 2949