Usernames and passwords are still the primary means for authentication for most businesses. Unfortunately, default usernames and passwords are never changed. Even worse, the passwords users create are easy to break or guess and are used for multiple websites and services. Additionally, small and medium businesses (SMBs) may not even know how to configure password policies for the devices on the network resulting in default settings that provide no security and a hacker unlimited time to crack passwords. I cannot explain in dire terms how quickly usernames and passwords must go away. So what is two-factor or multi-factor authentication? There are three primary factors: something you know (username, password, & security questions), something you are [biometrics (fingerprint, retina scan, voice recognition, palm scan, et cetera)], and something you have (smartcard, token device, or phone). The price for these multi-factor authentication models varies as much as the factors selected. If you a Windows domain, the most cost effective solution is to go with Smartcard authentication using the built-in services provided from Microsoft since 2000. Implementing a two or three-factor authentication system in your company's network is probably the most important single security solution one can include under the defense in depth plan. The world should have converted to multi-factor authentication a decade ago; it is that important. Two-factor authentication is so important that 38% of the surveyed black hat hackers at this years convention deemed it as the biggest obstacle followed by encryption.