Home / Blogs

Passwords Are Not Enough: Without Two Factor Authentication Your Business Is At Risk

Passwords are no longer sufficient to maintain an adequate level of security for business critical infrastructure and services. Two-factor authentication should be considered the minimum acceptable level of access control.

There have been two types of security stories in the technology news over the last few months that should be of particular concern to system administrators and those responsible for maintaining business network infrastructure.

1. Brute Force Attacks

It’s unfortunately a fact of life that people tend to be very bad at choosing and managing secure passwords. This applies less to technically adept system administrators—although they are not immune—, but most other people, including management and others with reason to access network infrastructure and business critical services often don’t have sufficient training in basic password hygiene techniques.

When a hacker decides to try a brute force dictionary attack against a business’ servers or their email, social media, or third-party infrastructure service provider accounts they are likely to find at least one weak account, and that’s often all that’s needed to establish a beachhead.

2. Stolen Password Databases

If password databases are properly hashed and salted, it’s unlikely that all but the most determined hackers are going to be able to extract usable information for them. Sadly, that’s frequently not the case, and password cracking technology has reached the level where inadequately hashed passwords can be fairly easily retrieved in a practical amount of time.

Your business may lose its password database to criminals at some point, but more worrying is the likelihood that employees have used the same identifying information on third party services like forums, which, when their poorly protected password databases fall into the hands of hackers, can be used against your business.

Even if employees haven’t used their business accounts improperly, if their personal email falls into the hands of hackers, and they have used it as a secondary address for their business accounts, then it’s trivial for the hackers to reset the passwords on the business accounts.

Passwords Are Inadequate

Passwords are too dependent on the level of technical expertise of their users and as technology advances are no longer sufficiently difficult to crack. Two-factor authentication should be implemented on all business critical infrastructure and services.

Two Factor Authentication

Passwords alone are one authentication factor. They are commonly described as something you know. Additional factors can be something you have and something you are. We’re not concerned with the latter here, biometric authentication can be very secure, but it can also be complicated to implement.

Instead, we’ll focus on something you have as a second factor. If you’re a user of Google’s services, you may be familiar with their Authenticator app, which is installed on mobile devices and provides a one-time code with a limited lifespan as a second factor of authentication.

Two-factor authentication is much more secure than using passwords on their own, and provides a considerable amount of protection against both brute force attacks and poor password hygiene. There is a small cost in convenience, but compared to the potential losses of trust, data, and business continuity that a security breach can incur, the inconvenience is trivial.

Two Factor Authentication and DNS

DNS is one of the most important parts of the infrastructure of any site or online service. If it isn’t secure, hackers could knock a site offline completely or redirect visitors to sites that will infect them with malware. To avoid the embarrassment and loss of reputation and revenue that an attack target against a company’s DNS accounts can cause, a DNS hosting service that allows two-factor authentication should be used to verify the identity of those who need access.

Filed Under


Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Brand Protection

Sponsored byCSC

IPv4 Markets

Sponsored byIPv4.Global

New TLDs

Sponsored byRadix


Sponsored byDNIB.com

Threat Intelligence

Sponsored byWhoisXML API


Sponsored byVerisign

Domain Names

Sponsored byVerisign