Multi-factor authentication is steadily becoming a more mainstream login protection mechanism, with it being adopted for use in many organizations as well as many popular websites such as Twitter, Facebook, Gmail and Amazon.
The use of multi-factor authentication or any other type of two-step verification (2SV) adds an additional layer of security to your login process. This is an excellent way to further protect your information.
In some cases, it could be surmised that the use of multi-factor authentication negates the need to use a strong password since the attackers would not have access to that secondary “something you have” vehicle that completes your login process.
Unfortunately, the need for strong passwords is still important – even when using multi-factor authentication.
Security researcher Beau Bullock at Black Hills Information Security recently discovered a flaw in Microsoft’s Outlook Web Access and Office 365 that bypasses multi-factor authentication, enabling a full search of mailboxes with the knowledge of only a person’s username and password.
You can read the technical description of the exploit if you’re interested in more information, or watch a video demonstration.
It should be noted that at least one product vendor has been experimenting with this flaw to enhance its penetration test and defense capabilities. The technical description includes an explanation of why the flaw cannot simply be turned off.
The important lesson here is to not fall into a mindset that using multi-factor authentication allows you to use poor passwords, or worse, reuse the same passwords on multiple sites.
The multi-factor token might change on every login, but as long as there are methods to bypass multi-factor authentication, the vigilance to have good strong and unique passwords remains. Now would be an excellent time to check out the many password manager programs that are available for your protection.
Remember that security is approached best by using a layered defense, and allowing a weakness in any of those layers just makes the job of an attacker that much easier.
Read more about two-step verification:
- Two-factor authentication (2FA) versus two-step verification (2SV)
- How to better protect your Facebook account from hackers
- How to better protect your Twitter account from hackers
- How to enable two-step verification (2SV) on your WhatsApp Account
- How to protect your Amazon account with two-step verification (2SV)
- How to better protect your Google account with two-step Verification (2SV)
- How to protect your Dropbox account with two-step verification (2SV)
- How to protect your Office 365 users with multi-factor authentication
- How to protect your Microsoft account with two-step verification (2SV)
- How to better protect your Tumblr account from hackers with 2SV
- How to protect your LinkedIn account from hackers with two-step verification (2SV)
- How to protect your PayPal account with two-step verification (2SV)
- How to protect your Yahoo account with two-step verification (2SV)
- How to protect your Apple ID account against hackers
- How to better protect your Google account with two-step verification and Google Authenticator
- How to protect your Hootsuite account from hackers
- How to better protect your Instagram account with two-step verification (2SV)
- Instagram finally supports third-party 2FA apps for greater account security
- How to protect your Nintendo account from hackers with two-step verification (2SV)
- How to better protect your Roblox account from hackers with two-step verification (2SV)
Nice article. I fully agree.
Informative article; thank you.
However, this does depend on the website even allowing for 2SV. or even more than 12 characters (including special characters like %$%"! )
Given the opportunity to use actually strong passwords (banks as the worst culpritshere, IMHO), I always let LastPass generate my passwords (sometimes I add a space, just to be a BOFH), but essentially I only know my LastPass password, not any others – they're so complicated & random.