There's been no shortage of unsettling security news in the past few months. The most recent Yahoo! hack and widespread Internet of Things outage are just the latest in a series of pervasive and increasingly alarming attacks. Oh, and there's that little matter of the presidential election. As the Chinese say, though, in crisis there is opportunity.
Against this backdrop, I recently sat down with Paul Lanzi, co-founder and COO at security startup Remediant. The following are excerpts from our conversation.
PS: What is two-factor authentication? Why is it so important?
PL: Two-factor authentication (aka multi-factor authentication or [MFA]) is a fancy way of saying that that you have two passwords for your account, and both are required in order to log in. Generally, one of the passwords would be something that you know (such as a secret password), and the second would be something you have--like access to a cell phone with an app that can confirm that it's really you logging into your account, and not a hacker. While this sounds like an inconvenience, you would normally only need to enter the passwords when you're logging in from a new computer or a new phone.
For individuals, two-factor authentication protects against hackers who might steal your regular password in a few different ways. Examples include if bad actors breach a website or if you use the same password on multiple websites and one of them gets hacked. If you have two-factor authentication turned on, the hackers won't be able to use those stolen credentials to access your account. Since 65% of people use the same password for all of their accounts, this is a very common way for your personal account to get hacked.
For businesses, two-factor authentication brings a greater level of assurance to their information security protection efforts. Astonishingly 90 percent of employee passwords can be hacked in 6 hours or less. What's more, attacks like "pass the hash" can result in hackers getting access to your work account even if they never actually have your password.
Two-factor authentication represents one way to immediately improve nearly all aspects of a company's information security. Some companies choose to only turn on two-factor authentication for their "privileged accounts", which is another way of saying "administrator accounts". These accounts are the #1 way that hackers move around a company's network, so protecting those accounts is a top priority for information security teams.
PS: Is the federal government embracing two-factor authentication?
PL: Yes, the federal government has been advocating two-factor authentication as a smart way that both individuals and companies can improve their security. Most recently, the National Institute of Standards and Technology released NIST 800-171, which specifies how companies that work with unclassified information must protect it--including the use of two-factor authentication. President Obama issued Executive Order 13636 ("Improving Critical Infrastructure Cybersecurity"), which led to the establishment of the Cybersecurity Framework. In the Defense contracting community, the Defense Federal Acquisition Regulations (DFARs) were updated in 2015 to require compliance with the new NIST standards.
PS: What are the downsides of not using it?
PL: Two-factor authentication is the simplest and fastest thing individuals can do to protect their online accounts. Here is a great list of websites that support two-factor authentication at. At AN absolute minimum, everyone should enable two-factor authentication for their email account -- Google Mail, Yahoo Mail, etc. Not enabling it means that only your password stands between your private data and hackers getting access to it.
PS: Is it simply a matter of hitting a switch?
PL: No. Companies attempt to enable two-factor authentication for several reasons. Some must meet new regulations. Others pursue new information-security best practices. In any event, they often run into challenges. Consider the following
It took Amazon 5 years longer than Google to enable two-factor authentication for their systems, for instance. In one survey, 63% of respondents said that cost holds them back from their two-factor authentication aspirations. Old systems may not support two-factor authentication, and other information security protections may mean that adding two-factor authentication doesn't make sense to do for all users.
PS: How does Remediant address this problem?
PL: Remediant's flagship product, SecureONE, makes it insanely easy for companies to enable two-factor authentication just for their administrator accounts--focusing on the highest value assets. Remediant takes a completely new approach in this area. We remove all privileged access from accounts, and then only grant privileged access (on a time-limited basis) if the administrator has successfully logged in to the SecureONE appliance using two-factor authentication. Companies can attain two-factor authentication for their privileged accounts without having to retrofit existing applications.