Good security is built in layers.

LifeLock founder Todd Davis attracted a lot of attention in 2006 when he included his social security number in an ad campaign. He argued the layers of security that his service provided were so effective, the information was useless to criminals. Unfortunately, according to the Phoenix NewTimes[i], Davis subsequently had his identity stolen at least 13 times.

While it was a brilliant marketing approach, publishing confidential, personal data is never a good security idea. Only release this information to people who need to know it. It’s too important of a security layer to ignore.

Similarly, one could argue that accounts protected by multi-factor authentication are so secure that you could publish your password, “password123”, to the world and your account would remain secure. While there is some truth to this, never do it! Use strong, lengthy passwords and do not share them because it is an important security layer. However, additionally enabling multi-factor authentication is almost certainly even more important.

In a 2018 study conducted by LogMeIn and LastPass[ii], 2000 adults revealed the following password habits:

  • 59% of respondents said they mostly or always use the same password or a variation of the same password, whether for work or personal accounts
  • 53% of respondents say they have not changed passwords in the last 12 months even after learning about a data breach in the news

As a result of the large number of data breaches, the website haveibeenpwned.com estimates over 7 billion user accounts have been compromised. Many of these credentials, as well as sample scripts to exploit them, are now for sale at multiple sites on the Dark Web, and business is brisk.  Looking for a return on their investment, hackers will run these scripts using the ill-gotten e-mail addresses and passwords (including variants, such as adding or replacing a single number at the end).

Password Managers such as LastPass, Dashlane, and others help individuals and organizations to have a unique, complex password for every site they visit while having to remember only one master password. Google’s popular Chrome browser even has built-in basic password management that can help. Review your options for password management and make smart decisions to help all your employees manage their various accounts. But even with strong, unique passwords, it is unwise to rely on a single authentication method. No matter how diligently IT administrators set password policies and attempt to educate their users, if a password gets reused and compromised, accounts will be hacked.

The Current Official Standard

The U.S. National Institute of Standards and Technology (NIST), in its June 2017 Digital Identity Guidelines,[iii] changed its long standing password recommendations. No longer do they recommend complex passwords that are changed frequently. Instead, passwords should be long, easy to remember and hard to guess. As an example, “alongpassw0rdisB3st” (strictly an example, never use this for YOUR password). The NIST guidelines advise changing passwords less frequently, but strongly encourage the uses of multi-factor authentication.

When multi- or two-factor authentication (MFA or 2FA) is enabled, each user attempting to access sensitive data must not only provide something they know (a password), but also something they have (electronic token) or something they are (biometrics).  Most commonly, the thing to have would be a six-digit code generated by an authenticator app on the user’s smartphone. Something they are could be a thumbprint or facial recognition. With 2FA enabled, usernames and passwords alone no longer provide the keys to the kingdom, thereby dramatically reducing unauthorized logins.

While global adoption of 2FA continues to increase, it is unfortunately far from universal. Microsoft’s Office 365 offers 2FA at no extra charge for subscribers, but according to a November, 2018 survey by Specops Software[iv], only 20% of organizations using Office 365 had implemented 2FA for administrators and users. Given choices between security and convenience, most people choose convenience. Taking the extra step of entering a six digit code to login may be a price many busy people are unwilling to pay. Additionally, despite the avalanche of news reports about data breaches, too many business owners don’t believe they are likely to affect them.

Fortunately, the security industry has heard these concerns and 2FA applications are becoming easier to use.  In many cases, “Push” notifications can send a 2FA request to a smartphone that can be answered with a fingerprint. Firms can start implementing 2FA by enabling it for all cloud-based applications and for laptop and home PC users who access the network remotely. Eventually, it can also be enabled for logins for every workstation in the organization.

A few tips to consider:  Older 2FA solutions may employ text messaging for sending codes. This is no longer a recommended practice because text messages can be intercepted.  In the event you lose your smartphone or leave it at home, administrators can provide temporary means for you to login.

Effective security requires multiple layers. Commit to reasonable multi-factor authentication as standard practice, because a single layer of user authentication (passwords) is simply not enough.

[i] https://www.phoenixnewtimes.com/news/lifelock-ceo-todd-davis-tries-to-spin-story-on-frequent-identity-thefts-no-explanation-for-why-davis-hid-thefts-from-customers-6628963

[ii] https://www.lastpass.com/psychology-of-passwords

[iii] https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-3.pdf

[iv] https://venturebeat.com/2018/08/22/global-survey-reveals-low-adoption-of-multi-factor-authentication-for-office-365/