In a tweet sent out at after midnight on Wednesday night, Sony announced it was enabling two-factor authentication (2FA) for its PlayStation Network (PSN).
The initiative is being made to improve security and to defend against incursions into the PSN service, which allows participants to play games online, maintain a profile, communicate via text and video messages, and conference in other gamers.
With the security feature added on Thursday, registered PlayStation and PSP owners can now enable 2FA, or what the company is calling two-step verification (2SV). Gamers can click over to a Sony security page to activate the feature, which, in addition to a password and username, will require future logins to key in a code sent via SMS to the user's mobile device.
"By requiring two forms of identification for sign-in, your account and personal information will be better protected," Sony stated in its release note.
The move comes nearly two years after a massive data breach not only crippled the company's operations but resulted in embarrassment and a $15 million settlement in April of a class action suit with employees (and lawyers) over the siphoning of personal information in November 2014. The computer hack was in retaliation for the release of the film The Interview, which skewered North Korean leader Kim Jong-Un.
Earlier, in April 2011, the company was targeted in another attack in which the personal details of 77 million accounts – including names, dates of birth, email addresses, and credit card numbers – were breached. In that case, PlayStation gamers were shut out of their online accounts for nearly a month.
Two-factor authentication is acknowledged to be an effective deterrent against cybercriminals. It doesn't provide 100 percent security, but it does provide an added layer of defense that could prove effective in preventing bad actors from making off with account details.
"Two-factor authentication is a much more secure way of logging into an application," Ryan O'Leary, vice president of the Threat Research Center at WhiteHat Security, told SCMagazine.com in an email on Thursday. "An attacker will not only need to compromise your username and password, but also compromise your mobile device or intercept that message in transit. This extra layer of security greatly decreases the chance of compromise."
While 2FA doesn't completely eliminate the risk, "it certainly makes it leaps and bounds more secure than a simple username and password combination," he added.
Microsoft rolled out 2FA on its Xbox Live network three years ago. Instagram, Apple, Google, Twitter, Dropbox and Facebook have offered the verification strategy for years as well.
However, there are efforts underway to move away from this verification strategy. Last month, the National Institute of Standards and Technology (NIST) issued proposed updated guidelines which recommended shifting away from SMS text messages as one of the “factors” in two-factor authentication.
“Due to the risk that SMS messages may be intercepted or redirected, implementers of new systems should carefully consider alternative authenticators,” the report stated. The agency cited particular concern over the use of VoIP or other software-based services to transmit SMS.
In the future, WhiteHat's O'Leary told SCMagazine.com, computer users will need to come up with even more secure means of logging into applications, "but for now two-factor authentication is both more secure and more user friendly than more advanced options."
He admitted that Sony's embrace of two-factor authentication comes fairly late in the game. "But rolling this out shows they are putting measures in place to protect their customers," O'Leary said. "It's better to roll it out late then to never roll it out at all."
Another expert was not as appeased. "The fact that Sony provided additional defenses to protect the identities of its customers two years after its competitors, or even five years after its huge breach, will be a minor footnote in the history of large multinational enterprises battling against cybercrime," Renee Bradshaw, manager of solutions strategy at Micro Focus, told SCMagazine.com in an email on Thursday. "While the threat landscape continues to evolve, what hasn't changed is the singular focus cybercriminals have on stealing the identities (via credential theft) of people to gain access to targeted assets – whether the assets be patient data to be encrypted for ransom, or credit card information used to purchase games on a PlayStation."
The requirement of having a mobile device on which to receive the access code (second factor) is a good touch, Bradshaw said, another barrier for the cybercriminals to overcome. "Now it's up to Sony to continue that level of security innovation, and write the next chapter in what promises to be a very lengthy history of the war waged between enterprises, cybercriminals and the consumers caught in the crossfire."
Sony gamers are being strongly advised to enable 2FA, or 2SV, for the PS3, PS4, PS Vita, PS TV, Xperia devices and the PlayStation App (PS App). Gamers can reach the option on their Sony network by going to Settings/ PlayStation Network Account Management/Account Information/Security/2-Step Verification. Or, click here.