Two-factor (or multi-factor authentication) is a very effective way of providing an additional layer of security for systems and data. It’s relatively trivial these days for attackers to compromise usernames and passwords, and two-factor authentication puts another line of defense between those compromised credentials and access to your information–at least when implemented effectively.
When organizations implement two-factor authentication on a selective basis they are still leaving systems and data exposed. Those servers or applications that have two-factor authentication may have better protection, but attackers may still be able to gain access to the network by other means and find alternative ways to breach sensitive data.
I wrote a blog post about the risks of selective two-factor authentication:
What if the front door to your home was virtually impenetrable—secured with a standard lock, as well as a deadbolt and a video surveillance system—but the side door to the house was unlocked and left wide open? How effective would the brakes on your car be if they only worked part of the time? That is what it’s like to use two-factor authentication, but only on certain designated systems.
The problem many organizations have with two-factor authentication is that it is implemented sporadically. High risk or high value servers are identified and the stronger authentication mechanisms are put in place there. That creates a false sense of security. If other users and other systems on the network are not also using two-factor authentication attackers may be able to compromise those systems and find a back door into the high value servers.
Even the most “advanced” threats are fundamentally simple at the point of attack. Phishing and other credential theft attacks provide attackers with an initial entry vector into a victim’s network, and also enable them to move laterally within the network to reach the eventual target. When strong two-factor authentication isn’t present, it’s expected that attackers will take advantage of that and find the path of least resistance.
Jon Oberheide, co-founder and CTO of Duo Security, stresses that cost and complexity get in the way of businesses implementing effective two-factor authentication. “Historically, two-factor authentication has been limited in deployment scope to only the most critical services or to a select group of key administrators due to cost and usability burden.”
Selective implementation of two-factor protection has cascading repercussions. In the first place it gives organizations a false sense that they are more secure than they really are. Executive leadership and IT managers understand that two-factor authentication should prevent most common data breaches and they know it’s being used in the organization so they assume the company’s data is secure.
Read the full story on CSOOnline: Dabbling in two-factor authentication can be dangerous.