|John, I'm afraid I've got some very bad news for you.|
Brennan didn't have a bad password, he didn't e-mail it to anyone, he wasn't even tricked into entering it into a fake web page, the security failure here belonged to AOL and Verizon, and it wasn't even a technical failure at that. Now Brennan's e-mail is part of Wikileaks and a thousand articles.
Security experts including 360is have long since recommended 2 factor authentication systems for all of our clients, and yet still relatively few organisations have this kind of authentication. Their reasons? Cost, complexity, and (in)convenience. Over the last 20 years there have been a number of different companies attempting to tackle the three Cs, some of the more recent attempts make use of mobile devices and "soft tokens" on those devices, or they use instant messaging as a secure channel to convey some passcode or challenge/response.
|Is there such a thing as too much convergence?|
What if we are using multi-factor authentication, but thanks to the wonder of converged communications...all my factors converge upon 1 single device, normally a smartphone or tablet? What if that device were itself, compromised? Mobile devices can be cloned, rooted, or otherwise compromised just like any computer. How would that possibility change the level of trust you place in these kinds of multi-factor authentication? What if I am also trying to login to the secure service in question from that very same mobile device? If an attacker has my phone under his control, or has bamboozled me into doing something with it which help him, what happens to "defence in depth" and "fail safe"?
For these reasons, and because we don't think using 2 factor authentication should mean you have to trust a 3rd party organisation, we recommend keeping your factors as separate as possible for as long as possible. Talk to us if you want to harden your organisation against hackers, social engineers, and end users who sometimes make poor security choices.