If even a five-year-old can crack the Xbox password security...SecurEnvoy 09/04/2014, Archive
...how much damage could a professional hacker do in a company network? At just five years of age, Kristoffer von Hassel recently caused a stir when he effortlessly circumvented the Microsoft Xbox console's password security. He wanted to log in using his father's account and entered an incorrect password into the query field. The verification screen then opened up and he simply pressed the space bar a few times. Once verified, the boy was able to access his father's Xbox account without any problems. Had he been asked to enter a second factor in addition to the password, access would not have been so easily granted.
A possible additional factor could have been, for example, a biometric trait (such as a fingerprint) or something belonging to the account owner, e.g. a smartphone. If a tokenless, two-factor authentication had been used, the boy would have had to enter a numeric code in addition to the password. The numeric code to be entered would, for example, have been sent to his father's mobile phone. The use of this approach would have meant that circumventing the password security alone would not have been enough to gain access to someone else's account, as the second factor would have been required for identification.
A much more significant and sensitive issue than game scores etc. is the data circulating in company and government agency networks. Would it not make sense then to protect this information using two-factor authentication, instead of relying solely on a user name and password?