Hackers can easily use stolen usernames and passwords to conduct cyberattacks because many online accounts still don't use two-factor authentication controls designed to help keen them safe.
Two-factor authentication (2FA) -or multi-factor authentication (MFA) as it's alternatively known -is one of the key methods that individual users and wider organisations can use to help protect their online accounts from being hacked, even if their login credentials have been leaked or stolen.
However, according to the DCMS Cyber Security Breaches Survey 2022, only around third of organisations have any requirement for two-factor authentication on user accounts -the figure stands at 37% for businesses and 31% for charities.
SEE: Multi-factor authentication: How to enable 2FA to step up your security
That means that around two-thirds of organisations don't have any rules around two-factor authentication at all, so employees are unlikely to be using it, leaving their user accounts vulnerable to cyberattacks and hacking.
Two-factor authentication creates an additional layer of protection, requiring users to use a text message, app or hardware key to confirm that it's really them attempting to log in to their account. This can help to stop cyber criminals from logging into online accounts with breached or stolen passwords.
But with so few users equipping accounts with two-factor authentication, cyber criminals could directly access accounts if they've got the login credentials, whether the username and password is stolen using a phishing email, guessed because it's weak or taken from a previous data dump.
Breached accounts, particularly those accessed using remote desktop protocol, can be used to steal additional information, or be quietly used to move around the network and lay the foundations for a malware or ransomware attack.
Two-factor authentication is more widely used in some sectors than it is in others. For example, DCMS data says there are policies in place in around two-thirds of businesses in information and communications, while under one in five businesses within the food and hospitality have rules around it.
Other industries with low uptake of two-factor authentication are utilities, production, and manufacturing, where only 28% of businesses have any policies in place. These critical industries are already a tempting target for cyber criminals -particularly ransomware gangs -and the lack of additional protections on accounts leaves them even more vulnerable.
At a time when the government is urging organisations to be wary of cybersecurity threats, more needs to be done to ensure that two-factor authentication and other cybersecurity measures