2FA or Not 2FA

Opting in on an extra step for cybersecurity

December 12, 2018

Despite gradual industry acceptance of two-factor authentication (2FA), many consumer websites still don’t provide a full set of 2FA options—including easily accessible and clear-cut information for users—according to a recent study.

Growing Customer Acceptance Of 2FA

Until recently, consumers may have been the chief resisters to 2FA systems, desiring quick and easy access to their online accounts; however, many people now are realizing that passwords are just not enough—that even complex combinations of letters, numbers and symbols are no match for today's hackers. It's too easy for cybercriminals to use brute force, social engineer or harvest plain-text passwords.

Consumers also are getting accustomed to a higher level of personal security in their daily lives. Apple’s facial recognition system, fingerprint readers on laptops, and the Transportation Security Administration (TSA) airport scans are examples of how extra security measures are becoming more widespread and accepted. As individuals living in a fast-paced, digital world, we are starting to see these tools as a benefit.

Overcoming Industry Hesitation

Executives at many organizations know that 2FA is beneficial, but the additional cost or inconvenience factor may hold them back from implementing it. Investing in 2FA can mean additional administrative, hardware and training costs, as well as extra time for customers to log in and gain access to their accounts. While added costs are typically minimal, and the log-in process normally only takes a couple of extra seconds, the idea of a “wait” isn't necessarily something organizations want to impose on customers or that customers have the patience to deal with.

Lingering uncertainty about customer acceptance has led some organizations to avoid enabling 2FA by default and instead ask for customer permission to do so. It ultimately comes down to the fact that people are looking to access their accounts with the least amount of effort, in the shortest amount of time. Given that user experience usually trumps security, industry professionals need to take steps to make 2FA easier to use without compromising the security it provides.

Some organizations are starting to use technologies like authenticator apps to send customers a secondary authorization code or a one-time verification code to get into their accounts without a secondary device. These technologies are still being refined by major companies like Apple, Facebook and Google; however, solutions like these—that are focused on convenience—are ultimately what’s necessary for consumers to stop viewing 2FA as cumbersome.

Opting In To 2FA

For 2FA to truly catch on, a shift in perspective needs to take place. We are seeing more and more people use 2FA not because they necessarily want to—but because some online accounts require them to do so, or they understand what’s at stake. Using 2FA is similar to purchasing insurance—it doesn’t seem that important until you need it. It’s now up to enterprise organizations to go beyond offering the bare minimum when it comes to online security and provide consumers with robust 2FA solutions that are readily accessible, well explained and easy to use.

Kathleen Hyde is the Chair of Cybersecurity Programs at Champlain College Online. Her areas of interest and expertise include insider threat detection, emerging threats and defenses, digital privacy and surveillance, and cybersecurity for educators.She can be reached at khyde@champlain.edu.

How can you advance your career in the security industry with the skills and competencies necessary to benefit your organization? What will the security executive and the security function of the future look like? Join us as we hear from veterans in the security industry about their experiences, their lessons learned, and best practices for advancing their careers.