The IBJ has another article that discusses the Anthem breach. Like many articles from many sources before, it does a poor job of being clear about the uses and types of two-factor authentication.

If you are not aware, two-factor authentication requires that you use two ways to prove who you are. This is often implemented by using something you know (account name and password) and something you have (a special token or certificate).

It is becoming common to use two-factor authentication for things such as remote access to a network (e.g. VPN). But it is incredibly uncommon to use true two-factor authentication for most internal resources, such as business databases. At present, most security teams that would try to implement two-factor authentication for database access would find themselves at odds with the business and perhaps soon not getting funding for their work. These are very different business cases, at present.

In other words, we should not discuss internal data two-factor and external access two-factor as if they are basically in the same category. Reporting frequently does not clearly make this distinction.

Over time, we see more business understanding of these risks. This is both because of breach headlines, but also because information security is learning to do a better job about managing and explaining risk. So, it is likely that we will see greater support for internal usages of two-factor in the future, but for now, we must understand that the differences in deployment are great.