Lorrie Cranor knows a thing or two about the importance of two-factor authentication (2FA). Cranor is a Carnegie Mellon professor who specializes in passwords and security. She's also the former chief technologist of the Federal Trade Commission. Oh, and she's the victim of a mobile phone hijacking plot against her family — one she's confident 2FA could have prevented.
Cranor's experience is enough to make anyone shudder: In the summer of 2016, someone walked into a carrier store and identified herself as "Lorrie Cranor." The crook provided a fake ID and said she wanted to upgrade to a new iPhone. She walked out of the store with two shiny new devices — connected to Cranor's family numbers — and a bill left behind in Cranor's family name.
[ Find out if your data and passwords are being sold on the dark web.. | Get the latest from CSO by signing up for our newsletters. ]
"In that scenario, the carrier should have texted the phone, and it would have solved the problem," Cranor says. "The thief didn't have the old phone. It was in my hand."
To this day, 2FA is still hit and miss at the major U.S. mobile carriers. The resulting weakness in security should serve as an eye-opener for any company whose employee data is protected by a single password.
What is 2FA?
2FA adds an extra layer of protection to the authentication process. It requires users to provide a second piece of identifying informtion in addition to a password. Examples of 2FA include answering a question like "What was your high school mascot?" or entering a verification code received via text message.
Why use 2FA?
The notion of 2FA as a best security practice is no longer even remotely new. Google brought the advanced form of online security into the mainstream conscience with the launch of multilayered protection for enterprise customers in 2010 and then for all Google users in 2011. Facebook followed soon after. Yet, according to a recent report by the Pew Research Center, only 10 percent of American adults can correctly identify a two-factor-enabled login screen from a set of four choices.
Another report, from Duo Labs, estimates a measly 28 percent of Americans actually use 2FA on a regular basis. More than half of those surveyed by the firm had never even heard of it.
That, to put it mildly, is troubling. "People should all be looking at 2FA, even for minor things — if they're just buying toothpaste at a shopping site," says Patrick Wardrop, chief product architect of IBM's Identity and Access Management division.