back to article gone phishing has been caught with its pants down after phishers persuaded an employee to hand over customer contact details. In a letter to customers yesterday the, er, customer relationship management (CRM) software vendor admitted that it had been hit by a number of dodgy phishing and malware attacks. Salesforce said that …


This topic is closed for new posts.


Velly populah in chinah.. we likey velly much all your base is belong to us :)

0 makes 2FA security a Catch-22 choice for SMEs

The phishing incident should not come as a surprise to anyone. The growing popularity of the SaaS model means that providers like, NetSuite and Oracle are managing increasingly sensitive business applications and data for more and more high profile customers. It's too big a honeypot for the Internet Underworld to ignore.

It's really positive that are now recommending the use of two-factor authentication (2FA) to secure the login to their service, but there is one major flaw: to replace their basic password with a 2FA process you need to enable their 'Single Sign-On (SSO) function. Unfortunately this SSO function is limited in the Professional Edition - the SME version which is used by the vast proportion of their customer base.

For these customers, SSO is a 'global setting' so it is either 'on' or 'off' for all users. This means that if 2FA tokens are to be deployed - they have to be issued to every single user; which can be simply too costly.

So for all Pro Edition customers, in order to follow's security advice, they have an costly Catch-22 choice: either upgrade to the more expensive Enterprise Edition or give everyone 2FA whether they need it or not.

It's a fallacy that only big companies use 2FA, we have hundreds of customers of all sizes using our fully managed two-factor Secure Authentication Service, some with just a handful of users.

It is frustrating that our customers cannot extend the use of their tokens to secure their accounts too. If were to make SSO a 'per user' setting on Pro Edition, this would show that they are committed to helping all customers improve their security.

John Stewart


Signify - The Secure Authentication Service

This topic is closed for new posts.