Data security breaches continue to rise (in both size and frequency). One way companies are trying to combat this alarming trend is to implement advanced methods of user authentication.
Before we talk a bit more about two-factor authentication, let’s look at a few recent data breaches.
Top 5 Data Breaches in 2013 (So Far)
Living Social: the Daily-deal website confirmed that its computer systems were hacked, resulting in “unauthorized access.” The company updated its password encryption method after the breach impacted more than 50 million users. Names, email addresses, dates of birth, and salted passwords were stolen. The daily-deal site was already having difficulty in gaining market share from competitor Groupon.
Washington State Administrative Office of the Courts: after the public website of the Washington state Office of the Courts was hacked, sensitive data of individuals whose cases were making their way through the state court system were compromised. Names, social security numbers, and driver’s license numbers were accessed without permission. Those affected by this hack have been notified according the public website.
Evernote: the popular note-taking software service had to reset the passwords of all 50 million users following a network breach. While there is no indication that content or payment information was stolen, Evernote did admit that usernames, email addresses, and encrypted user passwords were accessed. Evernote usage declined immediately following the data breach; no word yet on how long the impact will last.
Drupal.org: the serves of the open source content management platform were hacked. Sensitive information of the one million accounts were stolen, including usernames, email addresses, country information, and hashed passwords. Drupal.org has since reset all passwords. Open source communities can be unforgiving, especially when it comes to data security. Time will tell if Drupal.org can bounce back from this hack.
U.S. Federal Reserve: the hacking collective Anonymous breached one of the Federal Reserve’s internal websites, accessing the personal data of four thousand bank executives. This included mail addresses, phone numbers, and fax numbers that were published by the hackers online. We don’t know yet how, when, or where this now-public information is being used.
Yikes! Thinking about all of those security and data breaches makes my skin crawl! One way to combat these unfortunate data breaches is to use two-factor authentication.
So, What’s Is Two-Factor Authentication Exactly?
Two-factor authentication systems pursue increased security by requiring users to supply two distinct types of information.
- Users must provide something they know (such as a password), something they possess (like a pass code from an electronic fob or their mobile phone), or something uniquely associated with their bodies (fingerprints or other biometric indicators).
- A common consumer example of two-factor authentication involves withdrawing cash from an ATM, which requires something you know (your PIN) and something you possess (your ATM card).
- Corporate examples include the combination of a password (something you know) with either a fingerprint scan or security card, or the combination of two pass codes — one you know and one supplied by a device (via either an electronic fob or user cellphone).
Is Two-Factor Authentication Really Necessary?
Two-factor authentication supporters often emphasize the substantial costs associated with security breaches. (Can you imagine the cost associated with resetting all user passwords? Can you assign a dollar amount to customers losing trust in your brand?) Advocates also say that two-factor authentication systems may help users avoid the need to update and/or change passwords constantly because it reduces the importance of the actual password itself. Because of this, users may be able to pick passwords that they can actually remember.
Opponents, however, stress the added cost and inconvenience of two-factor authentication systems. The different components associated with two-factor authentication systems can be pricy. Hardware (sometimes in the form of electronic fobs or smart cards), software licenses, maintenance, and project management can cost anywhere from $38 to $72 per person per year! That’s a lot of money, especially for companies with thousands of employees. Two-factor authentication can also slow log-in processes (which can be frustrating to users). Finally, two-factor authentication still suffers from various vulnerabilities, including man-in-the-middle attacks, Trojan attacks, and fake account-recover attempts. Just because you take additional precautions does not mean you will not be susceptible to attacks.
So, what do you think? Should two-factor authentication remain a focus for corporate data security experts? Will improvements in two-factor authentication really be able to deter hackers and thieves? Share your thoughts in the comments below.
Image Credit: Tech Pulse Weekly