Two-factor authentication (2FA) -- using something like a security token, an authenticator app, or a code sent via SMS to your phone to supplement a password -- is hardly new. Indeed, you may already use 2FA to provide remote access to your company’s webmail, VPN, or administrative tools. Yet, despite broad availability of 2FA and an increasing awareness of the limitations of passwords, many organizations still fail to implement 2FA for securing high-value external services, such as their social media accounts, domain name registrations, and cloud/web hosting services.
There have been numerous examples in the past year of organizations’ Twitter, Facebook, and other social media accounts being hacked through stolen credentials and used for shady purposes. Given how strongly social media can represent a brand, it’s no surprise that the effects of these hijacks have ranged from embarrassment to fanning political flames to sending the stock market plummeting briefly. (The effects for the IT security people who failed to protect their accounts likely ranged from sleepless nights to termination from their jobs.)
A compromised user account was also responsible for the hijacking of domain names belonging to The New York Times and Twitter last year. A stolen domain name gives the attacker control of a business’s web traffic (i.e., its customers and prospects), its incoming email, and more. In the case of last year’s attack by the Syrian Electronic Army (SEA), the NYT was effectively offline for a time, and both Twitter and the NYT can be thankful that the SEA didn’t use the opportunity to spread malware or otherwise harm their customers.
In perhaps the most extreme case of a compromise gone awry, a company called Code Spaces was recently put out of business after losing control of its Amazon Web Services account. Once the attackers had access to the AWS account, they were able to delete all the company’s servers and data. While this may be an edge case, it’s not hard to imagine a company’s website getting deleted or a critical cloud server getting rooted due to a poorly selected or protected password.
Fortunately, all of the major social media services and many business-focused domain name registrars and hosting providers offer two-factor authentication. One objection I’ve heard from IT professionals is that they need to share access to an account, and 2FA systems are designed by nature to require a single person to have the authentication token or device. Of course, sharing accounts is a bad idea in the first place, and using it as an excuse to avoid 2FA just makes it worse. There are services that allow a company to set up multiple 2FA-protected user accounts that can all control one or more authorized social media accounts. And it’s not uncommon for registrars and hosting providers to offer multiple user logins, each protected by 2FA and each with a different level of access to the account.
If your organization’s social media, domain, or hosting account isn’t secured with 2FA today, add it to your to-do list now. And if your vendor doesn’t offer the security features you need, it’s time to find a new vendor.