JP Morgan Chase Fails at 2FA—Duh

If you are actually shocked that the JP Morgan Chase breach involved a failure to enforce two-factor authentication everywhere, then you haven't been paying attention to the information security incidents of late.

How did the Target breach start? Stolen credentials.

How did the Home Depot breach start? Stolen credentials.

How many breaches did Mandiant say involved stolen credentials? 100%.

No matter how many terrible adages we have about, "attackers will always go after the weakest link in the chain", organizations continue to miss a server when rolling out a security control and sorrow ensues.

If an attacker has 100 servers to target, and a set of credentials, they've got pretty solid odds that someone goofed on configuration of two-factor authentication or on configuring another compensating security control.

Comprehensive implementation has to mean 100%. Anything less than 100% and you're going to get breached. Even with 100%, you still may get breached, but if recent history teaches any lessons, it's that imperfection is the name of the game.

Sure, a failure to properly implement two-factor authentication isn't the only problem in any of these stories, but it's a big part of the gap that let attackers get the foothold they needed to at least start wreaking havoc.

Don't fool yourself, two-factor authentication is a highly effective authentication security mechanism when implemented comprehensively and with out-of-band technology in use. Organizations that already use such a control should figure out how they can get insight into their own environment to verify whether they've hit the 100% mark of usage.

No security control is a panacea, but if passwords are the weakest link in a security chain, two-factor authentication may be your only realistic hope.