Many breaches could have been easily prevented with two-factor authentication (2FA). In addition to a password, 2FA requires a second verification step, like a smartphone code or biometric scan. Microsoft estimates that multi-factor authentication (MFA) blocks over 99.9% of account compromise attacks, making it crucial as ‘broken authentication’ remains a top OWASP vulnerability.
Hackers typically use one of the following techniques to gain user’s credentials:
- Broad-based phishing entails a malicious actor sending a generic email from a fake email address which encourages recipients to log into a fake webpage using their actual credentials. The reasons stated in the phishing email can range from ‘accessing a new tool’, ‘resetting a password’ or, ironically, ‘confirming suspicious account activity’.
- Spear phishing follows the same model as broad-based phishing, but the emails are specific to each target. This would mean that the email addresses the user by their real name, or applications they regularly use. Spear phishing emails appear more credible than their counterparts, which increase their success rate.
- Credential stuffing attacks, where a malicious actor who successfully discovers or purchases a target’s password can access all the accounts that share that password. This is particularly problematic when considering users’ personal cyber security awareness.
- Password spraying enables attackers to gain access by trying out common or default passwords. The most generic examples are passwords such as ‘123456’ and ‘password’.
Why is Two Factor Authentication Important?
As we can see, breaking into a password is not mission impossible and does not require attackers to go through the target’s rubbish in the hopes of finding a sheet of paper with their credentials written down.
Between these three types of attacks – phishing, credential stuffing, and password spraying – it’s easy to imagine that out of one thousand employees, at least one of them could be compromised. And that puts the entire organisation at risk.
However, when you throw another authentication mode into the mix, the compromise risk approaches zero. While a password can be hacked, the chances of the attacker also remotely accessing the target’s authentication device or biometric is almost null. This is how 99.9 percent of account compromises can be prevented.
Security Awareness Training is Critical for Two Factor Authentication Success
Deploying two factor authentication in your organisation has two considerations.
Firstly, technology. To implement two-factor authentication, you need to choose a method that authenticates users. The most common method nowadays is using a smartphone. Products such as Office 365 have built-in MFA functions and policy management which can easily set up users’ mobile applications as proof of identity.
Second, and perhaps the more challenging, people. Users will have to go through an additional log-in step every time they access a tool that has MFA enabled. This is where Security Awareness Training is indispensable. Without an employee education campaign outlining the importance of two factor authentication, some users may feel inconvenienced by the additional authentication step and may turn to using unauthorised applications – such as WhatsApp – to share files and messages. This unauthorised application usage is dubbed shadow IT and it’s a high-risk practice as it bypasses all enterprise security.
User’s cyber security awareness is even more important when we reconsider the credential stuffing attack. If more than 50 percent of users use the same password for multiple accounts, it is also very likely that they will share passwords between personal and work accounts.
Creating a Human Firewall with Two Factor Authentication
For this reason, we recommend extending Security Awareness Training campaigns into the employee’s personal security habits. Enabling 2FA on personal email services such as Gmail is easy to set up and convenient to use. This single action has a two way benefit, directly to the user and indirectly to the organisation as it minimises the risk of data breaches.
In addition to promoting the importance of two factor authentication for personal usage, incident management training can also help users who have been compromised to follow a procedure that can prevent further damage, including the reporting of breaches to the relevant IT teams and changing passwords where necessary.
Education campaigns to drive good personal cyber security awareness are the only way to get voluntary user buy-in. When employees understand the importance of keeping both their work and home IT and communication services secure, they will form a robust foundation for the whole enterprise.
Enhance Your Cyber Security with Effective Employee Training
To strengthen your organisation’s cyber security, we recommend exploring these articles:
- How Computer Security Training for Employees Mitigates Cyber Threats and Data Breaches
- The Ultimate Guide to Security Awareness and Training for Every Employee
- Why Paid Cyber Security Training is Worth the Investment
Alternatively, request a free demo of our advanced Cyber Security Training for Employees to see how effective training can enhance your defense against cyber threats.
