It's time for companies to practice their own 2FA preaching
You can hardly get a password typed in these days without bumping into two-factor authentication.
Anybody with a cloud app or service is thinking about it. Those that have been hacked are doing something about it. SendGrid being the latest.
SendGrid is encouraging end-users to enable two-factor authentication (hint: it looks pretty easy to do), and the company is promising to enhance its current 2FA system to "support additional authentication methods" beyond the six-digit phone code already offered.
It's a reasonable authentication option to offer end-users considering that many are faking security with their poorly conceived passwords.
Over 90 percent of data breaches in first half of 2014 were preventable
The question then becomes what is happening internally in companies like SendGrid and others over the years that have suffered internal breaches such as LinkedIn, Twitter, Facebook and Dropbox.
When Twitter loses 250,000 passwords, they are not pilfered one by one from end-users by hacking shoddy passwords. The typical pattern for massive attacks shows they begin by targeting internal accounts.
In the SendGrid case, as in many others, phishing attacks give hackers credentials they then use to move around an enterprise to internal targets that are more profitable.
How would 2FA help in this scenario? Even SendGrid's phone codes (and the issues around this option), would provide better security than just a password. And phishing is reduced as an attack vector.
And there are stronger options emerging that combine easier-to-use with better security such as geo-location, GPS, and public key cryptography. The FIDO Alliance counts as members a number of companies that develop all sorts of modern strong authenticators that can help secure internal end-users.
To support enterprise adoption, Google even introduced an enterprise management console for the two-step verification system added to its Drive for Work platform, which provides collaboration and storage. The tools specifically answered enterprise needs for operations such as controlled rollouts and revocation.
Most companies don't publicly discuss their internal security and SendGrid appears to be no different. But I do know a number of high-profile companies that have already discovered what is good (2FA) for the goose (end-users) is good for the gander (enterprise). And they are requiring all types of 2FA authentication, especially for their developers and internal privileged accounts. The accounts hackers most covet to speed up their covert work.
Part of what pushes the 2FA trend is that companies typically don't have to dramatically change or update infrastructure or re-design their entire API. Two-factor authentication typically requires only isolated changes that offer a security bump for little extra effort. They provide a safe-harbor where companies can take a deep breath and decide what to do next.
The nut has always been how do you get employees to get in line, but modern 2FA options are not your father's key fob. I am not assuming 2FA is a panacea. There are no panaceas in tech security only reasonable facsimiles at best.
What cloud apps and services are proposing to help protect customers should be the same things those companies are rolling out internally. The other benefit beyond better security is that companies who raise security internally may not have to worry as much about trying to modify the habits of their end-users, which historically is the definition of a losing battle.
(Disclosure: My employer is a member of the FIDO Alliance)