Compromised passwords account for 81% of data breaches. Once a hacker steals or guesses a user password, they have the “keys to the kingdom” and can access company files, sensitive customer and personnel data, and email accounts, which can be used to send phishing and spam.
Phishing scams will often include links that send users to a spoofed sign in page in an effort to steal credentials. More than 90% of organizations have cloud credentials being sold on the dark web.
How are Passwords Compromised?
Password security has remained a major issue for many businesses. They have to struggle with the conflicting realities that they need employees to have unique, strong passwords for each login and that all those passwords are just too much for a person to possibly remember.
Hackers gain access to user passwords using a number of nefarious methods:
- Phishing campaigns (top cause of data breaches)
- Credential stuffing (testing password lists purchased on Dark Web)
- Keystroke logging (malware that records a user’s keystrokes)
- Local discovery (finding passwords in unsecure places)
- Brute force (Perform hash cracking on a network’s passwords)
Success of Two-Factor Authentication
Microsoft Office 365 is the most popular cloud solution in the world by user count, and is a prime target for hackers trying to exploit stolen credentials. Microsoft sees about 300 million fraudulent sign-in attempts on their cloud service every single day.
What’s their recommendation for protecting yourself from compromised passwords? Use two-factor authentication (2FA).
According to Microsoft, two-factor authentication stops 99.9% of unauthorized login attempts.
In testing by Google, they saw similar results as Microsoft. They found that doing something as simple as adding a recovery phone number to a Google Account blocked up to 100% of automated bots and 99% of all bulk phishing attacks.
So, you would think that everyone would be using two-factor authentication (also known as multi-factor authentication), but unfortunately many people don’t. In the 2020 State of Password and Authentication Security Behaviors Report, it was found that as many as 64% of individuals, and 60% of IT professionals don’t use 2FA.
People don’t want to take those extra few seconds in their login process. But those few extra seconds can stop nearly all password breaches, so taking those moments definitely pays off when it comes to network security.
2FA is a Vital Part of a Company’s IT Security
Cloud service providers that enable 2FA in their platforms understand the need to keep the process as fluid and fast as possible so that productivity isn’t slowed down by a lengthy login process.
The entire two-factor authentication generally takes only a few seconds, and it will typically involve the following:
- Enter username & password into login form
- Click to send an SMS (or device prompt) to the device that has been set up
- The code is received nearly instantly
- Enter code in the form to complete sign-in
This requirement of a second factor of authentication beyond just the username and password is all it takes to stop most hackers from gaining account access even if they have a user’s login credentials, because they’re not going to have physical access to the device that receives the authentication code.
In Microsoft’s research, they also found that of MS cloud services accounts that were hacked, 99.9% of them did NOT use two-factor authentication. In January 2020 alone, 1.2 million user accounts on their platform were compromised.
How to Institute Two-Factor Authentication
Companies that want to significantly improve their data security should require employees to use 2FA. There are a few ways it can be implemented.
1. Enabling it per cloud platform is one option.
You can use the administrative settings to enable 2FA for all users on company cloud accounts, such as Office 365.
This will typically then prompt the user to set up a method and phone number for 2FA the next time they login.
For example, in Office 365 users can choose from the following authentication options:
- Call authentication phone number
- Text code to authentication phone
- Call office phone number
- Notification through mobile app
- Show one-time code in mobile app
2. Using a universal login application is another option.
A universal login application allows you to have a single point of control over logins for all your cloud applications. This gives users a more standardized 2FA experience and makes administration of the system consistent, because you’re not dealing with the different two-factor authentication options in multiple platforms.
Additionally, you have much more control over security policies and setting up additional authentication factors, such as challenge questions. For example, you may require an additional challenge question of an employee if they are attempting to login from a different city or country than where your office is located.
Two-factor authentication is not difficult to set up, it typically takes just moments to initiate the basic 2FA that sends a code via text or device/app prompt. The improvement in password security is significant, making it an important part of any good cybersecurity strategy.
Request a Free 21-Point Cybersecurity Audit Today from Neuron
Protect your business from security threats and ensure you have proper safeguards in place. Our 21-point cybersecurity audit can let you know where your weak spots are and provide solutions to minimize your risk.
Contact us today to request your free cybersecurity audit. Call 1-833-4-NEURON or reach out online.