Video Screencast Help
Identity and Authentication Services

Bitly Breach Underscores Need for Two-Factor Authentication

The Bitly breach is another example how insecure passwords are, and the value of two-factor authentication.
Created: 13 May 2014 • Updated: 14 May 2014
Teresa Law's picture
0 0 Votes
Login to vote

In the article Bitly embraces two-factor authentication after data breach, Forrester analyst Andrew Rose told that “Reading Bitly's comments today, two things jump out - Bitly's comments about "immediately enabling two factor authentication" for a remote data store, suggests that their remote access methodologies were simple ID and password. This is a vulnerable state to be in and one which has ultimately come back to haunt them.”

Bitly is the latest in a growing number of companies finding value in two-factor authentication, which has now been enabled for Bitly accounts on the source code repository, company-wide and at third-party services. They say end users don't have this facility yet, but they are working on “accelerated development” of two-factor authentication for

As the Heartbleed Vulnerability brought to light, the possibility of passwords being stolen poses a serious security risk for users and organizations that rely solely on them. It not only gives attackers access to the compromised user account, but any other account where that password is used.  And reuse is a big problem with passwords – on average we have 26 password protected accounts and 5 passwords (infographic).

For businesses it’s not just the loss of sensitive information that they must contend with post breach, but also the potential loss of business.  According to a recent survey a third of US consumers would avoid a retailer after a data breach.  If this attitude is shared by consumers in the UK, then some UK e-commerce sites may be in for a rude awakening.  A study of the top 100 UK e-commerce sites found that they are not doing enough to safeguard users from their own password-related foibles.

Two-factor authentication offers another layer of protection – even if the password is compromised the attack must have the second factor (be it a one-time password, VIP Push Mobile Access, or token-less authentication).  Whether it’s securing access for remote users or online applications, two-factor authentication should be enabled.  Many online applications use VIP to provide that second factor – you can register your mobile credential with any business in the VIP Network to enable two-factor authentication for that site.

Follow us on Twitter