Several factors have caused credential theft to become one of the major causes of data breaches, and one that’s a rising threat. It’s used in about 77% of all cloud account breaches because it gets hackers past stringent account security that keeps them from breaking in another way.
Companies that have online accounts breaches through compromised passwords suffer several costly consequences. These include things like having sensitive customer data stolen and having their email accounts used for phishing attacks.
Personal accounts that get hacked can mean having a criminal rack up charges on your Amazon account, gain access to your online banking, or use your data for identity theft.
Password security is one of the most challenging areas of a cybersecurity plan for many New Jersey businesses. While they can use proactive managed services to protect their devices and network, user passwords require additional security tactics.
Two Main Challenges with Password Security
There are two main challenges with password security. One is user behavior and the other is uncontrollable vendor data breaches that expose passwords.
Users often adopt bad password habits, such as:
- Using weak passwords
- Reusing passwords across multiple accounts (business and personal)
- Storing passwords insecurely (Excel document, sticky notes)
A surprising 42% of companies rely on sticky notes to manage their passwords.
Users have so many accounts to keep up with that remembering difficult, unique passwords for all of them is pretty much impossible.
The second issue is data breaches that happen to a vendor used by an individual or company. Some examples are MyFitnessPal (150 million users compromised) and Yahoo (3 billion users compromised).
Because password reuse is so prevalent, if one password is compromised in a large breach, it puts several other accounts at risk. And it’s typically months after the initial breach happens before a company learns about it and then notifies impacted users.
How MFA/2FA Can Significantly Boost Account Security
Multi-factor authentication (MFA) and two-factor authentication (2FA) are two terms for the same account protection mechanism. They add an additional factor of authentication to account access. It can be an online account, or an account used through an app (like Microsoft 365).
There are typically three main “factors” of authentication for account login:
- What you know: Your username/password combination
- What you have: A device that can receive a login code
- What you are: A biometric, like a fingerprint scan
With initial account setups, people are usually only using one factor, the “what you know” to get into their accounts. So, all a hacker has to do is know that same information, which they can do through credential stuffing or purchasing hacked databases of passwords on the Dark Web.
When you use MFA/2FA, you’re adding a second requirement to the login process, which is usually the “what you have” factor.
The process typically works like this:
- User inputs name and password
- User clicks to have a code sent to a pre-determined device (usually mobile phone)
- User has a limited time (5-10 minutes) to input the code
- When the code is correctly entered, the user gains access to their account
Using that additional factor of authentication is vital to account security because it’s incredibly effective at keeping a hacker out. Even if they have a password, most won’t also have access to your mobile phone, so they’re locked out of your account.
How Effective is MFA/2FA?
There are two studies, one commissioned by Google and the other by Microsoft that both show the effectiveness of using multi-factor authentication/two-factor authentication for account logins.
In the Google study, they looked at different device-based versions of MFA/2FA and how effective they were at stopping various types of account attacks. They found that depending upon the type of attack and method used, MFA/2FA was between 76% and 100% effective.
- Automated bot attacks
- On device prompt: 100% stopped
- SMS code: 100% stopped
- Bulk phishing attacks
- On device prompt: 99% stopped
- SMS code: 96% stopped
- Targeted attacks
- On device prompt: 90% stopped
- SMS code: 76% stopped
In the Microsoft study, they noted that Microsoft cloud services see about 300 million attempted fraudulent account sign-ins every single day. They also found that the biggest vulnerabilities businesses had were:
- Password reuse
- Business email compromise
- Using legacy protocols
Their study found that using MFA/2FA blocked 99.9% of attempted account attacks.
Ways to Implement MFA/2FA
You can implement MFA/2FA in two main ways.
One is to implement it individually on each account you use. Most accounts will have a way to enable it for account security.
The other way is to use a single sign-on (SSO) technology that will allow user to use MFA for one master sign-in that gives them access to all their business apps.
Get Help Securing Your Business Accounts Today!
Credential theft is a major concern and only becoming more dangerous. Don’t leave yourself exposed, Two River Computer can help you implement MFA/2FA and other safeguards to keep your accounts protected.
Contact us today to learn more. Call 732-747-0020 or reach us online.