2 Factors Might Be Better Than 1, But Is It Enough?

By Selena Templeton

Many individuals and businesses erroneously believe that if they have two-factor authentication then all personal info on their computer or smartphone is safe. And it’s certainly nice to think that all you have to do is implement this one strategy and you’re good to go as far as securing your most essential data.

In fact, two-factors can be breached and the easiest two-factor to crack is knowledge-based security questions (i.e. “Name of your first pet”), as Ryan Rowcliffe stated in his Black Hat session ‘Two-Factor Isn’t Enough – We Show You Why’.

The Verizon 2016 Data Breach Investigations Report, which is an annual document detailing the top cybersecurity threats in various industries based on 100,000+ security incidents, added a new section this year about credentials – and, said Rowcliffe, the fact that this subject got its own section means that it is something to be worried about.

Rowcliffe listed nine levels of security and suggested that companies use as many of these as their budget and workforce allow:

  • Threat Service
  • Geo Location
  • Geo Velocity
  • Geo Fencing
  • Device Recognition
  • Behavior Biometrics
  • Directory of Attribute Checking
  • User Behavior Analytics (UBA)
  • Second-Factor Method

Rowcliffe emphasized that businesses are still exposing themselves, and sometimes in the most simple and obvious way – like sharing user names and passwords via email or not deleting old login info from previous employees. When it comes to convenience, users will almost always eschew security measures: they don’t want to bother with two-factor, they use the same security questions and answers for all their sites, they keep their login info in a very obvious place, and they use the same 5-digit password for all their PINs. 

I hate to sound like a broken record (or a hacked Spotfiy playlist, I suppose), but the human element will get you every time. Rowcliffe ended the session with the same five words of caution that he began with: compliance does not equal security. You have to be proactive and, yes, a little inconvenienced from time to time if you want your data to stay protected.