There's an old saying: "Locks are for honest people." The basic idea is that a competent crook can break in no matter what you do, but that doesn't mean you don't try to make your home as secure as possible. When it comes to online security, two-factor authentication (2FA) is the cybersecurity equivalent of a lock on the front door.
Like the lock, 2FA isn't guaranteed to protect your possessions, but it provides a fair amount of protection with a minimal effort for the end user.
While the arguments are there to use it (protection against hacking, spearphishing, and identity theft, among many other threats) corporate adoption just isn't there. A 2017 study by security firm Duo showed that just 28% of consumers overall use it--and that its implementation is decreasing. Of greater concern, a recent survey of the U.S. State Department, a white whale for hackers, showed that only 11% of devices used there are protected with 2FA.
What is Two Factor Authentication?
Despite sounding sophisticated, Two- (or Multi-) factor authentication simply means using more than one form of identification to access an account. Using a PIN at an ATM is the most common example: you need a card and a data point (ideally) known only by you. Other methods include a security code delivered via SMS to a mobile device, or gaining access to an account only after answering security questions (favorite movies, birthplaces, etc.), but keep in mind that the answers to security questions are among the data "out there," leaked in this or that compromise or may even be posted on public-facing social media accounts, so you might want to make up new answers--in other words, lie (but make sure you remember what you said).
Why Use It?
A login and password combination is a flimsy shield against cyber attacks, especially when you consider that "password" still tops the list of commonly used passwords right up there with "qwerty" and "1234567." Compounding this situation, 81% of Americans re-use the same password across multiple accounts. Then of course there are the millions of login and password combinations that are sold by hackers on the dark web.
With all this in mind, and taking into account that a compromise is not only expensive--the average cost to a breached organization in 2017 was $3.62 million--it's probably a good idea to ask yourself 1.) How safe is our business's data, and 2.) How long would it take a vaguely committed hacker to access it?
The answers are all too often: 1.) Not very; 2.) Not long.
Is 2FA Really that Easy to Implement?
Not exactly. Returning to the front door analogy, using a door lock is easy, but installing one isn't. Now imagine you're tasked with installing a new, unique lock on the front door of everyone who has an office in your company. Big job.
Setting up two-factor authentication at a workplace requires using either an in-house custom solution or bringing in an external service, neither of which is foolproof, and both depend on user participation.
Setting up a proprietary 2FA program at a business requires that technical elements are secure, all employee information needed to set up security question-based 2FA has been collected and/or devices in the possession of employees are updated and secure. Once this is accomplished, you need a secure server to authenticate users (no mean feat), and then you need to embark on the arduous task of cataloging every personal device connecting to the network, biometric information if that's being used, physical security devices, etc.
Requiring a security key or text message for every login is not easy to implement. Business would grind to a screeching halt if everyone had to be in compliance with such a stringent cybersecurity protocol at the same time. If 2FA is optional you can be sure it won't be used. Then there's the question of implementation by IT staff, which is most likely already overworked.
If developing and implementing a 2FA program internally sounds daunting, there's another option. There are a great many third-party cybersecurity experts out there. The deployment of a service can save time and headaches. But what about cybersecurity? The more people, and third-party vendors, involved, the larger your attackable surface.
If a single small business stands a roughly 50% chance of being attacked by hackers, a company with access to the networks of many companies makes an even more tempting target. This must be part of your cyber risk assessment. One weak link renders a company vulnerable to a breach; the more links in the chain the more likely there'll be a weakness. It is crucial to vet third parties as if your survival depended on it--because it may.
Too little, too late?
It may be too late for certain forms of 2FA adoption, because hackers have already had a few years to get around them. The U.S. National Institute for Standards and Technology (NIST) recommended in 2016 that companies stop using SMS as a second factor due to the relative ease of hijacking smart devices and intercepting the security codes sent to them.
Researchers have found ways to circumvent Paypal's 2FA, as well as Instagram and Google. Finding out about vulnerabilities in a system well before having the time or inclination to do so can cause a collective "why bother?" attitude, since getting hacked is more of a "when" than an "if." Most organizations are usually looking for guarantees before spending time and money on a security solution, and something that already has a variety of potential workarounds can be a hard sell.
Compounding the reasons leaders may not want to adopt 2FA is the reality that it can actually expand an organization's attackable surface, and not just from a supply chain standpoint. Requiring someone to have two different types of login means you're opening up two different ways to reset or restore access--people forget their passwords all the time, they lose their cellphones, their answers to security questions can change (the answer to 'where were you born?' could be the hospital, town, state, country, etc.).
Anyone administering a site or network needs to have a contingency plan in place for what happens if someone is unable to provide authentication data--and that provides yet another vulnerability for hackers to exploit, not to mention a productivity-killer for talented, yet forgetful, employees.
Is it worth it?
Yes. If implemented properly, 2FA offers a good baseline approach to cybersecurity, and does help to remove some of the lowest hanging fruit for hackers. Going back to the analogy of the lock on a door, 2FA is not a guarantee you won't get hacked, but it does remove a tempting opportunity for unwanted intruders.
It also serves as an object lesson for cybersecurity in general. No solution is 100% hassle-free or breach-proof, and it's only going to be a matter of time before someone figures out a way around whatever protections you have in place--no matter how failsafe they seem to be. Instead of looking for a silver bullet, businesses should look at tools like 2FA as part of a layered approach to security, like locking a door or arming an alarm. Minimizing your risk isn't the same as eliminating it entirely, but it's what we have to do to keep moving forward.