Dabbling in two-factor authentication can be dangerous

two doors
Barbara Eckstein (Creative Commons BY or BY-SA)

What if the front door to your home was virtually impenetrable—secured with a standard lock, as well as a deadbolt and a video surveillance system—but the side door to the house was unlocked and left wide open? How effective would the brakes on your car be if they only worked part of the time? That is what it’s like to use two-factor authentication, but only on certain designated systems.

The problem many organizations have with two-factor authentication is that it is implemented sporadically. High risk or high value servers are identified and the stronger authentication mechanisms are put in place there. That creates a false sense of security. If other users and other systems on the network are not also using two-factor authentication attackers may be able to compromise those systems and find a back door into the high value servers.

Even the most “advanced” threats are fundamentally simple at the point of attack. Phishing and other credential theft attacks provide attackers with an initial entry vector into a victim’s network, and also enable them to move laterally within the network to reach the eventual target. When strong two-factor authentication isn't present, it's expected that attackers will take advantage of that and find the path of least resistance.

Jon Oberheide, co-founder and CTO of Duo Security, stresses that cost and complexity get in the way of businesses implementing effective two-factor authentication. “Historically, two-factor authentication has been limited in deployment scope to only the most critical services or to a select group of key administrators due to cost and usability burden.”

Selective implementation of two-factor protection has cascading repercussions. In the first place it gives organizations a false sense that they are more secure than they really are. Executive leadership and IT managers understand that two-factor authentication should prevent most common data breaches and they know it’s being used in the organization so they assume the company’s data is secure.

That leads to another unintended consequence. When selective two-factor authentication fails to provide adequate protection and the organization’s data is compromised two-factor authentication takes the blame. There is a sense of “The organization was even using two-factor authentication and STILL got breached, so two-factor authentication failed.”

The problem isn’t the two-factor authentication. The problem is that dabbling in two-factor authentication is ineffective. Effective implementation of two-factor authentication requires that it be applied comprehensively to all users and systems.

It only takes one server with access to or storage of sensitive data that isn’t protected with two-factor authentication for a data breach to occur.

Fortunately, as two-factor authentication has become more mainstream it has also evolved to be simpler and cheaper to implement. Modern two-factor authentication solutions that leverage a user’s mobile phone as a second factor as opposed to separate legacy hardware tokens reduce both the cost and complexity of two-factor authentication.

Usernames and passwords are simply not enough to protect sensitive data and selective implementation of two-factor authentication on high-value servers in ineffective. As organizations transition to wall-to-wall deployment of two-factor authentication security the ability for attackers to move within a network or steal sensitive data will be significantly reduced.

Copyright © 2015 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.