Humans are bad at good passwords. We just are. Remembering long strings of random characters is something for which our brains just have not evolved a knack – and why would they? It's what we have computers for!
Even when given suggestions on how to make long passwords that are memorable – XKCD's infamous "correct horse battery staple" strip, for example – humans' natural preference for what's working already drags us back to the bad habits of re-use and simplicity.
Because of these human factors, the security community has taken to recommending the use of what's known as two-factor authentication, or 2FA, sometimes also called multi-factor authentication. The three ways of authenticating someone’s identity are:
By combining two of these, it becomes much harder for an attacker to gain access by misusing someone else’s “something you know” details. Some high-security environments may even require all three factors: a PIN, an access card, and some kind of biometric such as an iris or palm scan.
A friend’s recent experience of a bad business breakup reminded me that even people who are quite knowledgeable about computers may not be doing the best things with multi-factor authentication.
This friend, let’s call them Andy, dissolved a partnership. Andy got the trading assets, while the former partner, let’s call them Bailey, cut and ran. Fast-forward a few months and Bailey wanted back into the business. Andy said no so Bailey started being malicious. First Bailey used an old, unchanged password for one of Andy’s email accounts – don’t share your passwords, folks! – to get a reset performed on the business’s email account. Luckily Andy was online and saw the notification about the reset, so was able to get the account back with minimum fuss.
Andy messaged me just after getting the password reset and I immediately recommended enabling two-factor authentication. Minutes after turning that on, Andy got a notification of another attempted password reset on the email account. Then another. Then an attempt to reset Facebook, which had also had 2FA enabled in Andy’s flurry of activity.
Andy was lucky. Bailey was slow to consolidate access and systematically lock Andy out, so recovery was stressful but quick. It was the enabling of 2FA that changed the game. Bailey was now unable to use something Andy knew to impersonate Andy, because now Bailey also needed something Andy had – in this case, a cell phone to provide one-time passwords.
Here at OSS Group we require 2FA for our consultants to remotely access our network and to manage our customers’ public-cloud environments. If you want to know more about how to secure your infrastructure with 2FA, get in touch.