Top 7 Reasons Companies Don’t Use Two-Factor Authentication
In the spirit of year-end reviewing and wrapping up, we've been conferring with the ghosts of security trends past, present, and future. One of the most notable trends we've seen is that 2012 was the year in which two-factor authentication really broke out of the security community and became part of the broader conversation about everyone's online account security.
Just to illustrate, the Google Trends graph to the right shows search interest over time in the phrase "two factor authentication." That spike in August 2012 is Mat Honan’s well-chronicled epic account hack and since then the baseline level of interest in two-factor authentication has been nearly twice as high as it was before.
Knowing what we all know now about how vulnerable our digital lives and our personal and company data are to hacking and account takeover, the key question really isn't "Why do companies need to add two-factor authentication?" but "Why hasn’t every company added it already?"
Here's a roundup of seven of the objections to implementing two-factor authentication that we routinely hear. If any of these sound like your company, talk to us about how easy two-factor authentication can be.
#7 It's not a priority right now Bonus objection: Management doesn't see the value
Unfortunately, as we've seen, adding two-factor authentication to help protect accounts tends to become a big priority post breach. We don’t go in for fear mongering, but cyber crime is a growth industry showing double-digit growth year over year. Increasingly, attackers are targeting users, rather than systems, in order to gain access to company networks.
Prevention is far cheaper than recovery, and improving your security stance now can help you avoid the higher financial and reputation costs of a breach. The Ponemon Institute's 2012 Cost of Cyber Crime Study shows an annualized cost of cyber crime for the 56 organizations in their sample that ranged from a low of $1.4 million to a high of $46 million (mean: $8.9 million) and that information loss and data theft are the most costly consequences of attacks.
#6 Two-factor authentication still isn’t 100% secure
Every security measure is really just a balancing act in which adding protective layers to keep attackers out has to be balanced against the ease of letting authorized users in. Two-factor authentication can't thwart every type of attack, but is especially good at reducing your vulnerability to remote attackers, and especially when true out-of-band authentication methods (like Duo Push!) are used. And by leveraging devices users already have—their mobile phones—and focusing on making two-factor easy, Duo Security is shifting this balance back in favor of you and your users.
#5 I can't risk anything that might prevent my users from getting in
Nothing is worse than a security layer that gets in the way of your users being able to do their jobs. Whether you're using an on-premise solution or a cloud solution, you should expect it to be always available and always reliable. Duo's cloud-hosted service, for example, is hosted across multiple independent and audited service providers with strong physical security, which allows us to be highly scalable and highly available (99.995% uptime since 2010). We even back that up with a rock-solid SLA, a dedicated ops team, and 24/7 support. Equally important, any good solution should allow you the flexibility to issue bypass codes or change security policies if necessary, so that your two-factor solution really is part of the solution and never the problem.
#4 Two-factor authentication might annoy my users
We get it, your users are already busy and adding extra steps and gizmos to their login process will not impress them. Fortunately two-factor authentication can be both easy and natural if implemented right. With Duo, we allow users to use their already-beloved mobile phones as their tokens. Our free app allows for fast, easy one-tap authentication, but we also support passcodes, phone call backs and tokens.
Some IT managers interpret BYOD as "bring your own destruction," but by allowing users to make their phone their token, you can lower their barriers to adopting two-factor authentication. You also ensure that they have a token they’re going to keep track of, which means if a phone is lost or stolen, both they and you can mitigate more quickly.
#3 What if the user's phone is stolen? What if they don't have cell service? What if...?
We thought about all this, too, which is why we built Duo to flexibly support so many authentication methods. We provide options that work with and without cell coverage, with and without cell phones, and even with and without phones. Two-factor authentication has to be easy and ubiquitous to work in every situation your users find themselves in.
#2 It'll be too difficult... too time consuming... too... something...
We've all suffered through big enterprise application implementations too. But Duo is different. Many of our customers are live within a day of signing up. Fun fact: Most of our drop-in integrations require only 15 minutes to get up and running! One large customer integrated Duo into their network and tested for about a week; then they invited their users to self enroll and had over 1,000 users set themselves up and enroll in a day—with almost no helpdesk support. You can try Duo absolutely free and see for yourself. So try it, you'll like it (more than you thought you ever could).
#1 Two-factor authentication is too expensive
Many two-factor solutions available on the market are too expensive. We agree. Which is why we've approached it differently. We want the added security of strong two-factor authentication to be available any everyone, from folks with home networks, to small and medium businesses, to large enterprises.
We offer two-factor authentication as a service to make implementing it fast, easy and cost-effective for organizations of all sizes. Our goal is to make two-factor authentication so easy and affordable that it becomes pervasive and every organization can benefit from the added protection. So make 2013 the year you implement two-factor authentication to protect your users, their accounts, and your company data.
(with thanks and credit to http://hyperboleandahalf.blogspot.com/)