Mitigating BYOD Mistakes with Two-Factor Auth
Duo Security has come out with a rebuttal to The Wall Street Journal's Tech Blog article entitled "5 ways attackers exploit our bad BYOD habits" which listed 5 different ways that BYOD can introduce cyber security issues into an organization.
- Open wifi networks can be set up by attackers in places such as coffee houses and other public areas and then invite others to join. The main risk to this threat is the stealing of usernames and passwords. Duo Security says that the use of a modern, out-of-band 2-factor authentication solution prevents this from happening by using a separate channel to verify a user's identity.
- With 2-factor authentication, you can prevent a Man-in-the-Middle attack because the attacker is unable to intercept a push notification sent directly to your cell phone, which would keep you in control of your account. From there, you can change your password and take other precautions to insure that your account is protected.
- As many people have used the same password across multiple Web sites and accounts, this could allow a successful attack to be used against multiple accounts. Once one account has been compromised, the attacker will generally try that password on multiple sites. Duo Security claims that using 2-factor auth will make the complexity of the password less important because the attacker will have to get through two levels of authentication versus one have to guess the users password. Furthermore, the user will receive a notification that 2-factor has been triggered and they will know that someone else is trying to log into one of their accounts.
I think this article makes some pretty good points regarding account security and authentication, but I still feel that stronger unique passwords should be used on every Web site or account, along with 2-factor authentication, where applicable. We do not want to make it too easy for someone to guess one of our passwords. To me, a weak password is only a little better than using a default password or none at all. With Rainbow tables and dictionary attacks, it is much easier for someone to guess a poor password. I have been using the free version of Duo Security two-factor authentication for about 6 months now and I think it works fairly well. The only problem is that I am limited in regards to the number of site to which it is compatible.