For a business with more than a handful of employees, managing authentication credentials like passwords and usernames can be a huge headache, as Deloitte, a “Big Four” accountancy firm discovered this September. A protracted breach of Deloitte’s networks, which leaked emails and other sensitive information linked to some of the biggest corporations in the world, could have been avoided if Deloitte had protected user accounts with two-factor authentication.
Deloitte boasts revenue in excess of $37 billion and is one of the largest auditing and accountancy firms in the world. It is also a leading provider of cybersecurity services. It appears Deloitte’s networks were compromised when a hacker gained access to log-in credentials for an admin account. There’s some disagreement what was leaked, but Brian Krebs suggests a large amount of highly sensitive data was exfiltrated over many months.
It’s not known how the admin account was compromised, and there could be any number of explanations, from carelessness to brute-force attacks. But one thing is clear: two-factor authentication would almost certainly have prevented the attacker from gaining access, even if they had the admin user’s username and password.
Two-factor authentication uses an additional factor of authentication in combination with a username and password. The TFA most users are familiar with involves a one-time code being sent to a device in the user’s possession — their phone or a dedicated dongle. If the user can demonstrate that they know the number, it proves they have possession of the device. Passwords and usernames leak all the time, but it’s much less likely that an attacker would have access to the password, the username, and a trusted user’s unlocked phone at the same time.
Authentication leaks are among the most dangerous security breaches because they’re so hard to spot. There are few tell-tale signs: it looks as if an authentic user has logged in. In the Deloitte case, it seems the attackers were able to access the network from the fall of 2016 until this March.
eCommerce stores and web sites can more easily be compromised if retailers and publishers make the same mistake one of biggest cybersecurity consultancies in the world made by trusting people to manage passwords properly.
Passwords are a strong form of authentication if they are managed intelligently. Long and random passwords used as part of a well-designed authentication system are next-to-impossible to discover. But most people, including developers and others you’d expect to understand the problem, don’t choose or manage passwords properly. Two-factor authentication provides a second layer of security that can keep a Magento store or WordPress site secure even if a user is careless with their password.
Magento retailers should take a look at Sentry, a Magento two-factor authentication plugin Hostdedi developed in partnership with Human Element. Sentry works with the Google Authenticator and Duo Security services to provide easy-to-use TFA for Magento eCommerce stores. WordPress user should consider WordPress Two-Factor Authentication.