Humans are bad at good passwords. We just are. Remembering long strings of random characters is something for which our brains just have not evolved a knack – and why would they? It's what we have computers for!
Even when given suggestions on how to make long passwords that are memorable – XKCD's infamous "correct horse battery staple" strip, for example – humans' natural preference for what's working already drags us back to the bad habits of re-use and simplicity.
The solution: two-factor authentication
Because of these human factors, the security community has taken to recommending the use of what's known as two-factor authentication, or 2FA, sometimes also called multi-factor authentication. The three ways of authenticating someone’s identity are:
Something you know (such as a PIN or password)
Something you have (such as an app or device that generates random numbers)
Something you are (such as your fingerprints, which is known as biometrics)
By combining two of these, it becomes much harder for an attacker to gain access by misusing someone else’s “something you know” details. Some high-security environments may even require all three factors: a PIN, an access card, and some kind of biometric such as an iris or palm scan.
A case for two-factor authentication
A friend’s recent experience of a bad business breakup reminded me that even people who are quite knowledgeable about computers may not be doing the best things with multi-factor authentication.
This friend, let’s call them Andy, dissolved a partnership. Andy got the trading assets, while the former partner, let’s call them Bailey, cut and ran. Fast-forward a few months and Bailey wanted back into the business. Andy said no so Bailey started being malicious. First Bailey used an old, unchanged password for one of Andy’s email accounts – don’t share your passwords, folks! – to get a reset performed on the business’s email account. Luckily Andy was online and saw the notification about the reset, so was able to get the account back with minimum fuss.
Andy messaged me just after getting the password reset and I immediately recommended enabling two-factor authentication. Minutes after turning that on, Andy got a notification of another attempted password reset on the email account. Then another. Then an attempt to reset Facebook, which had also had 2FA enabled in Andy’s flurry of activity.
Andy was lucky. Bailey was slow to consolidate access and systematically lock Andy out, so recovery was stressful but quick. It was the enabling of 2FA that changed the game. Bailey was now unable to use something Andy knew to impersonate Andy, because now Bailey also needed something Andy had – in this case, a cell phone to provide one-time passwords.
Need a two-factor authentication solution?
Here at OSS Group we require 2FA for our consultants to remotely access our network and to manage our customers’ public-cloud environments. If you want to know more about how to secure your infrastructure with 2FA, get in touch.