Recognizing the Password Problem: Two-Factor Authentication in the Spotlight

password lockVerification has been making the news lately. Earlier this month, Box announced that it was adding a two-step login verification, just weeks after Dropbox added two-step verification. And it was Wired journalist Mat Honan’s devastating personal identity hack in August that inspired my blog series on what it takes to build secure cloud services for the enterprise. Two-factor authentication for Honan’s Google account, after all, likely could have prevented the attack.

On Friday, the New York Times published “Doing the Two-Step, Beyond the A.T.M.” about the recent installation of two-factor authentication across companies like PayPal, Dropbox, and Google.

What’s at the root of this focus on verification? The password problem. We’ve talked about it again and again — weak passwords and the employees who use them are among the biggest threats to IT security.

In the Times story, Nick Berry, president of DataGenetics, discusses how he analyzed large password databases and after shifting through 30.3 million passwords, he found 3.4 million consisting of only four digits. Of these four-digit passwords, 11 percent were “1234,” whereas 6 percent were simply “1111.” Hacker’s don’t need a lot of creativity to get past those flimsy barriers.

Companies could certainly make it more difficult for hackers — and not just by strengthening employees’ passwords, but by using two-step verification. As Randall Stross points out, an ATM is the perfect example of two-step verification: it requires the presentation of both a physical card and a correct PIN. Websites can do something similar, like sending users a text message with a code after they input the first password. A would-be thief would need access to both a users’ password and phone to access the account.

We’ve always offered multifactor verification to keep our customers’ information as safe as possible. Now, Dropbox, Box, PayPal — and even Gmail — offer two-step verification options. There’s no taking chances in enterprise security.