Clavister Blog Staff

A powerful vote for multifactor authentication

In Blog post by Clavister Blog Staff

Now that the dust is settling after the U.S. Presidential election, it’s worth looking back at one of the most controversial issues that happened during the run-up to the election itself – and at how that issue might never have happened, if the parties involved had been using the appropriate cybersecurity measures.

The issue started in March 2016 when the personal Gmail account of John Podesta, chairman of Hillary Clinton’s 2016 U.S. presidential campaign was hacked following a spear-phishing attack.  The hackers stole several thousand emails, many of which pertained to Clinton’s election campaign activities, and these were passed to Wikileaks, which published them in early October, ahead of the election.

It’s hard to say exactly what impact the leaked emails actually had on the election’s outcome:  the breach was certainly a main talking point on the news for several weeks, although Clinton still won the popular vote by over 2.5 million.  But the fact remains that the original breach would probably not have happened at all if Democrat campaign staff had been using two-factor authentication (2FA) or multi-factor authentication to secure access to their various work and personal accounts.

With multi-factor authentication enabled on services such as Gmail, Twitter and others, it adds a second layer of verification after the initial password request, usually by sending a code to the user’s mobile phone.  This code is both single use (it only works for that specific login attempt) and difficult to intercept (because it goes directly to the user’s phone, which they will almost always have with them, rather than to an email account which may already have been compromised). As such, it is a far more robust security measure than using a password alone.  With it enabled, a hacker would not be able to get into an account such as Gmail, even if they did manage to successfully spear-phish the user’s password.

It’s also worth noting that the attack against John Podesta’s email started with a plausible-looking ‘Google security notification’ with an embedded link, that requested he key in his username and password for verification.  His credentials were then stolen by the hackers.  It’s easy for us to look back and think that we’d never fall for a scam like that.  But all it takes is a moment’s inattention or distraction, and the damage is done.   That’s why user education is important:  every employee in an organization should understand what phishing is, what the classic warning signs of such an attack are, and what the risks might be of clicking on an unknown link or attachment in an email.

When it comes to securing access to critical services – whether those are personal email accounts or corporate applications, a little caution costs nothing, but goes a long way.  And it makes a powerful vote for protecting accounts with multi-factor authentication.