In a column last July, a Wall Street Journal tech reporter, Christopher Mims, published his Twitter password for all to see. As he wrote in the column, Mims was confident that the two-factor authentication service he applied to his Twitter account would protect him from hackers. So even if a would-be hacker used his password, the text message with the second verification code would be sent to Mims’ smartphone only. Of course what he ended up with were hundreds of text messages clogging his phone as smart-alecky readers had a field day with his password. At one point, Mims tweeted that he was receiving two texts every minute.
The lesson here is that it’s never wise to challenge the Internet masses to hack you. Mims was a good sport about his blunder, documenting his travails on Twitter as a warning to his readers. Yet even if the stunt somewhat backfired – and he ended up having to change his phone number – Mims was right: No one hacked his Twitter account.
Two-factor authentication, a type of multi-factor authentication, operates under a basic premise: To access your account, you need to supply two factors to prove your identity. These factors may include:
- Something you know, such as a password or PIN
- Something you have, such as a smartphone or bank card
- Your physical characteristics, such as your fingerprint or iris
- A location you have access to, such as proximity to your wifi network
Most hackers don’t have the time or resources to investigate individual users, which is why they throw a wide digital net in the hope of catching the most vulnerable fish. Because of this, two-factor authentication is an extremely effective way to protect your accounts.
But hackers also target individual businesses, and this is where the wide net comes in handy. They can limit their range to employees of a particular business or users of a particular platform or software, hoping to catch the one person who hasn’t sufficiently protected their account. The door thus open, havoc ensues. This is exactly what happened to the company Slack, which develops team-communication software. In February, the promising start-up announced it had been hacked and that some number of its users’ data — email addresses, passwords, and phone numbers — had been compromised. In response to the data breach, Slackn announced it would beef-up its security process by – you guessed it – using two-factor authentication.
The Slack hack sent shivers down the spine of businesses that rely on the platform for their digital communication needs. Yet even if your business doesn’t use Slack or any of its competitors, it’s likely you use other systems that have (or should have) two-factor authentication. Take Gmail. Thousands of businesses use Gmail as their enterprise email system, but do they require their employees to use Gmail’s two-factor authentication service? They should.
More to the point, a thief who successfully hacks one of your employees’ email accounts won’t likely stop at just reading the email. The hacker now knows the employee’s password, which, if the employee is like everyone else in the world, is the same password he or she uses to access other, more vital accounts. In this way one hacked account can lead to massive theft of sensitive information far beyond one employee’s email folder.
It’s important to note that two-factor authentication isn’t 100% safe. Hackers have successfully breached two-factor authentication models by setting up call forwarding on a victim’s mobile phone web account. But requiring your employees (and users) to use two-factor authentication for their personal and company accounts makes it significantly harder for the hackers to gain entry.
The question then becomes: Why aren’t you using two-factor authentication?