Two-Factor Authentication is Only One Factor of Security

Mar 26, 2016

As more Internet services adopt two-factor authentication, companies and individuals may begin to have a false sense of security when considering e-mail phishing attacks. Many individuals may work at a fast pace clicking through e-mails without stopping to consider the identity of the sender, the nature of attachments and links, and the consequences of not being able to identify a phishing attack. 

The Federal Trade Commission (FTC) can be quick to accuse companies for compromises of the personally identifiable information of a company’s customers, but the FTC can be as vulnerable as any other entity. FTC Commissioner, Julie Brill, fell victim to a phishing attack as she discussed in an interview with the Washington Post. Despite that Brill considers herself technologically sophisticated as reported on CNBC’s Power Lunch when discussing the SPLS/ODP merger, she was duped by a relatively common attack. Brill said to the Washington Post that “Once [the FTC IT managers] found out I had two-factor authentication and I had changed some passwords, they were comforted that I had done all that I could do.” However, two-factor authentication (“2FA”) is only one measure of many that can be taken to prevent such attacks.

Two-Factor Authentication (“2FA”) can be an excellent way to improve the security of applications; however, it will not prevent several other concerns that can arise from e-mail attacks. For example, implementing 2FA will not stop malicious code from being installed on a machine after clicking links or opening attachments containing undetectable code. At such point, a machine could be “owned” by an attacker - allowing the attacker to gain access to information residing on the machine, log keystrokes, and the ability to change or inject additional code.

Phishing attacks are really attacks on the human, more than the technology. Implementing comprehensive and practical information security policies coupled with the appropriate security awareness training can be one of the most beneficial methods to prevent security breaches. Consulting with an attorney familiar with information security policies and complying with regulators such as the FTC and rules such as HIPAA and GLBA can be an excellent first step in securing the information that resides in a company’s systems.