ZDNet on how a CIA-backed startup discovers federal agency employees logon credentials and passwords have been leaked online:

A CIA-backed startup has discovered login credentials and passwords for 47 US government agencies littered across the Internet — leaving federal agencies potentially at risk of cyberattack.

Recorded Future, a Boston-based data mining firm backed by the CIA’s venture capital arm, said in a research report that credentials belonging to 47 US government agencies have been found across 89 unique domains.

Two-factor authentication is an option offered by various online services, including Facebook, Gmail and PayPal, to heighten individual security and provide a second layer of defense. As passwords are far from the most secure way to protect and authenticate an account, if credentials are stolen, two-factor authentication — such as linking a mobile phone to your account — can be used to prevent unauthorized entry.

However, as of early 2015, 12 of the US agencies — including the Departments of State and Energy — which have lost credentials online do not stipulate the use of two-factor authentication when users access their systems. As credentials have been leaked, this leaves these departments open to unauthorized access.

It is unbelievable in 2015 that federal agencies are not mandating two-factor authentication for, at the absolute very least, user and privileged user logon. DoD implemented this requirement almost ten years ago. That the rest of the US government is so far behind the power curve is astonishing.