Importance of 2 Factor Authentication
By Mohammed Oosman - Oct 10, 2018
Human beings tend to do mistakes and you just can’t prevent it because nobody is just perfect. You may just be wondering why the hell am I talking this here in a post that is supposed to be technical, right?
But, let us take common mistakes that people still commit nowadays even though there are awareness spread through different mediums, drives, sessions and posters in organizations etc., So what are the mistakes I am talking about?
•Writing down your passwords of your different in stick note, book and other mediums.
•Keeping a very easily guessable and commonly used passwords for different accounts.
•Make use of just one password for all your maintained accounts.
•Not caring about strong password policy. You may just say that this is not our problem and it’s up to the site to maintain these stuffs. But, even in this case we need to understand the importance of your account and must adhere to most common strong password policy.
Well these are one of the gruesome common mistakes that people still tend to commit. Here I am not just talking about common man, even highly qualified, well skilled people are committing this sin for which different organizations had to pay the price.
You must be thinking I am kidding. Well, let’s just have a look at the recent incident where the attacker was able to get into the account and interact with crucial resources of the organization.
Timehop Data Breach
Timehop is a social media app that was hit by a major data breach on July 4th, 2018 that compromised the personal data of its more than 21 million users.
Type of data compromised in the breach?
The company revealed on that unknown attacker(s) managed to break into its Cloud Computing Environment and access the data of entire 21 million users, including their names, email addresses, and approximately 4.7 million phone numbers attached to their accounts.
The attackers also got their hands on authorization tokens (keys) provided by other social networking sites to Timehop for gaining access to your social media posts and images. With access to these tokens, hackers could view some of your posts on Facebook and other social networks without your permission.
What was the cause of the breach?
The company later admitted that the cause of the breach was due to compromise of the access credentials and lack of 2-factor authentication.
Since the company was not using two-factor authentication, the attacker(s) were able to gain access to its cloud computing environment by using compromised credential.
Timehop has now taken some new security measures that include system-wide multifactor authentication to secure its authorization and access controls on all accounts.
Gentoo Github Account Hack
Recently an unknown group of hackers managed to get into the github account maintained by Gentoo linux and replaced some repository with malicious code. The intruder also tried executing rm –rf command into the repos.
Luckily the hack was noted when the attacker tried blocking existing valid users, which sent notification mails to the actual Gentoo linux repo maintainers.
Reason for the hack
Again, the reason behind this attack was because the account had easily guessable password and the two factor authentication was not enabled.
So as we see from above example, that not only a common-man but even tech giants tend to make these huge mistakes.
What exactly is 2 Factor Authentication?
In layman’s term, 2FA is nothing but an extra layer of protection to protect your online account. If you want precise definition, then here is one of them from our online guru:
“Two-factor authentication (also known as 2FA) is a type, or subset, of multi-factor authentication. It is a method of confirming users' claimed identities by using a combination of two different factors: 1) something they know, 2) something they have, or 3) something they are.” - Wikipedia
Challenges faced with 2FA
1. Some companies do not possess the infrastructure to support it, causing the initial process to become a little more involved when acquiring the necessary infrastructure. It is also difficult to gain, within the company, the expertise of someone who truly knows how to setup 2FA, understands the security component, and makes sure it is working properly.
2. It will be an issue if the user trying to login does not have the device with him due to different circumstances.
3. This process may consume time if the service is not able to connect/contact the device when there is connectivity issue.