Opinion: Back to the Start for 2FA Adoption?
In a previous post, Tripwire asked contributors what their most memorable event of 2018 was. As a follow-up, guest author Bob Covello expands on his thoughts about two-factor authentication (2FA).
We in the infosec community have made enormous progress towards getting multi-factor authentication the recognition it deserves. All the respected folks in the community have been promoting multi-factor as the best protection against account hijacks.
To review, every simple account takeover of every online account could have been prevented if the accountholder enabled multi-factor authentication on those accounts. More sophisticated account takeovers using SIM swaps and other more complex techniques are beyond what I am discussing here. I am only writing about the easily guessed or discovered password compromises that allow anyone unfettered access to an account.
Although we have made strides in getting multi-factor some recognition, we are still not doing a good job at getting full adoption of the platform. Most of the people I talk to still view two-factor authentication (2FA) as more of an inconvenience. We all know what happens when a person has to choose between security or convenience; security loses every time. This is a sad reality.
I have tried to remain optimistic, and I have been a champion of 2FA for many years. Who could deny the advantages of this fantastic technology? Then, the recent Azure failures happened. This was a bad moment for Azure customers and an even worse moment for 2FA advocates. Some folks recommended the use of a “safety account” that is not protected by 2FA.
This was curious to me. I am not insensitive to businesses that lost money during those Azure failures, but if we expand the idea of a 2FA backdoor account, it is not a far walk to the topic of encryption back doors.
The question (Read more...)
*** This is a Security Bloggers Network syndicated blog from The State of Security authored by Bob Covello. Read the original post at: https://www.tripwire.com/state-of-security/security-awareness/back-to-the-start-for-2fa-adoption/