Two-factor authentication is in the spotlight again after the Twitter accounts for three CBS brands -- 60 Minutes, 48 Hours and a Denver news affiliate -- were hijacked and later suspended this weekend.
The episodes add to a long list of media outlets and big companies that have been compromised in recent months.
So why don't more people use two-factor authentication, a more demanding method of accessing an account than a password-only process? The answer: Laziness or friction, depending on how you want to think of it.
In enterprises, two-factor relies on hardware tokens that generate passcodes that are valid for just moments and must be entered along with the usual password. Consumer Web services such as Google or Facebook will send a one-time unique passcode to a user's mobile device, either as a text message or in Apple's case, to an iPhone or iPad via the Find My iPhone app's notification feature. Without that code, you can't login.
The hackers in the CBS case appear to have political motivations, tweeting things like "The American people must stop their government, before the whole world is destroyed," as well as claims that "the Syrian army fights for all humanity" and a suggestion that the Boston bombers are professionals under U.S. government protection.
The latest incidents aren't isolated.
In recent months hackers also took over the Twitter accounts of Burger King, Jeep and MTV. Yet a simple thing could make a hacker's job much more difficult --two-factor authentication.
Even though Twitter itself has been rumored to be working on offering its users two-factor authentication, you're still going to see incidents like the ones currently plaguing CBS. That's because even the tiniest bit of friction is enough to deter people from using extra security.
Think of it this way -- everybody knows (or should know) that you should never use the same password for more than one account. In addition, all these unique passwords need to be long, include special characters and completely random so that a bad guy can't guess them.
Something like 472vY!5@0ndw33k3nd might be a good example. Of course, that can be hard for the user to remember, and it isn't a good idea to write down passwords because you could lose them and they could end up in the wrong hands.
You can use a password manager such as LastPass to store all the dozens of impossible-to-memorize passwords it takes to keep all your accounts safe, but even then, it takes work. Every time you want to login to Mint, or your email, or your bank or Twitter or anywhere, it involves taking the extra five seconds to retrieve your password -- which you'd think would be time well spent, but when you multiply that five seconds with all of the many accounts you need to access in a day, it can feel like a lot of extra steps for what may seem like a phantom threat that may never materialize.
Sign up for MIS Asia eNewsletters.