Back in 2016, millions of emails were breached at Deloitte, after hackers gained access to an administrator’s account that gave them unrestricted access to Deloitte’s cloud-based email system. Investigations in the incident revealed that the administrator’s account had only one layer of protection – a password – without any further identification methods.
This could have easily prevented had two factor authentication (2FA) been enabled for the admin account. In addition to using a password, 2FA requires users to provide an additional piece of evidence that confirms their identity. This can either be something that only the user possesses – such as a smartphone, or a biometric – such as a fingerprint.
In fact, Microsoft estimates the effectiveness of multi-factor authentication at over 99.9 percent, blocking virtually all account compromise attacks. This is hugely important considering that ‘broken authentication’ has been consistently one of the top vulnerabilities on the OWASP Top Ten.
Hackers typically use one of the following techniques to gain user’s credentials:
- Broad-based phishing entails a malicious actor sending a generic email from a fake email address which encourages recipients to log into a fake webpage using their actual credentials. The reasons stated in the phishing email can range from ‘accessing a new tool’, ‘resetting a password’ or, ironically, ‘confirming suspicious account activity’.
- Spear phishing follows the same model as broad-based phishing, but the emails are specific to each target. This would mean that the email addresses the user by their real name, or applications they regularly use. Spear phishing emails appear more credible than their counterparts, which increase their success rate.
- Credential stuffing attacks, where a malicious actor who successfully discovers or purchases a target’s password can access all the accounts that share that password. This is particularly problematic when considering users’ personal cyber security awareness. As of 2020, more than 50 percent of people admit to using the same password for multiple accounts. This leaves both their personal data and their work data vulnerable to this type of attack.
- Password spraying enables attackers to gain access by trying out common or default passwords. The most generic examples are passwords such as ‘123456’ and ‘password’.
Why is Two Factor Authentication Important?
As we can see, breaking into a password is not mission impossible and does not require attackers to go through the target’s rubbish in the hopes of finding a sheet of paper with their credentials written down.
Between these three types of attacks – phishing, credential stuffing, and password spraying – it’s easy to imagine that out of one thousand employees, at least one of them could be compromised. And that puts the entire organisation at risk.
However, when you throw another authentication mode into the mix, the compromise risk approaches zero. While a password can be hacked, the chances of the attacker also remotely accessing the target’s authentication device or biometric is almost null. This is how 99.9 percent of account compromises can be prevented.
Security Awareness Training is Critical for Two Factor Authentication Success
Deploying two factor authentication in your organisation has two considerations.
Firstly, technology. To implement two factor authentication, you need to choose a method that authenticates users. The most common method nowadays is using a smartphone. Products such as Office 365 have built-in MFA functions and policy management which can easily set up users’ mobile applications as proof of identity.
Second, and perhaps the more challenging, people. Users will have to go through an additional log-in step every time they access a tool that has MFA enabled. This is where security awareness training is indispensable. Without an employee education campaign outlining the importance of two factor authentication, some users may feel inconvenienced by the additional authentication step and may turn to using unauthorised applications – such as WhatsApp – to share files and messages. This unauthorised application usage is dubbed shadow IT and it’s a high-risk practice as it bypasses all enterprise security.
User’s cyber security awareness is even more important when we reconsider the credential stuffing attack. If more than 50 percent of users use the same password for multiple accounts, it is also very likely that they will share passwords between personal and work accounts.
Creating a Human Firewall with Two Factor Authentication
For this reason, we recommend extending cyber security awareness training campaigns into the employee’s personal security habits. Enabling 2FA on personal email services such as Gmail is easy to set up and convenient to use. This single action has a two way benefit, directly to the user and indirectly to the organisation as it minimises the risk of data breaches.
In addition to promoting the importance of two factor authentication for personal usage, incident management training can also help users who have been compromised to follow a procedure that can prevent further damage, including the reporting of breaches to the relevant IT teams and changing passwords where necessary.
Education campaigns to drive good personal cyber security awareness are the only way to get voluntary user buy-in. When employees understand the importance of keeping both their work and home IT and communication services secure, they will form a robust foundation for the whole enterprise.