For most websites it only takes two simple things to log in and make changes: an username and a password. Complicating matters is that the first thing, the username, is often publicly known because it is the easily discoverable email of the user or it is the username that is displayed on every post and comment on the site. That leaves the second thing, the password, as the only real line of defense between your site and a would-be attacker.
Unfortunately, as many security professionals have said for years, the password is often a very weak form of security. Not only are users notoriously bad about creating strong passwords (check password strength here and learn how to make a strong password), but over 175,000,000 user passwords (along with their usernames and/or emails) are publicly known (check password publicity here) with hundreds of millions more available privately. It is no surprise that weak passwords contributed to 31% of data breaches in 2014.
Fortunately, there is a security practice called Two-Factor (or Multi-Factor) authentication that can help developers provide additional methods of authentication beyond just the password. The two most common methods involve authentication through an SMS message, or a one-time code generated via an application on a user’s mobile phone. More advanced methods such as using a biometric information, location through GPS, or a hardware token are also possible. By requiring a second form of authentication (especially one tied to a physical device like a mobile phone or a USB key), would-be attackers not only have to compromise a user’s password, but also their mobile phone or physical USB key, which makes the attack much more difficult. Learn more about these practices by reading Multi Factor Authentication in Drupal Watchdog and Two Step Authentication on WordPress.org.
If you are interested in implementing these techniques on your website, I wrote a handy guide for implementing Two-Factor Authentication on either a single site or organization wide. For more information, check out "Secure Your Site with Two-Factor Authentication" as part of the Pantheon Guides.Topics: Security, Drupal, WordPress