Back

2FA should (not) be left to users’ choice

April 8, 2019
3 minutes read
Category: Security
Author: Harry Cheung

In the early 2010s, we started hearing about breaches into different websites and services, with millions of usernames, user e-mails, passwords, and other data being stolen and shared on the dark web. And sometimes offered for sale. At that time, it looked like these were sporadic attacks, targeting some companies & services, mostly so the hackers can boast about their exploits within their communities.

Years later, we now know that these attacks have been happening for a long time before we even heard about them. Stolen data was being collected and have been popping up online months and years after these incidents.

The culmination happened earlier this year when several collections (creatively named Collection #1 through #5) were published with over 2 billion unique records of user e-mails, usernames, passwords…

With all this information highly publicized, one would think users will start changing their habits – namely, stop re-using passwords and start asking for more secure authentication options. But that hasn’t changed much.

Introduction and evolution of 2FA

The biggest websites and apps introduced different two-factor authentication options years ago. Practically at the same time, we were hearing about all these breaches. Google did it in 2011, while Microsoft introduced it in 2013.

In those days, 2FA was usually based on sending codes via SMS (nowadays proven insecure), but over the years other options have been introduced, like using specialized authentication apps and hardware tokens. Lately, biometrics has been making the headlines. So, options do exist, but people simply didn’t use two-factor authentication, unless they had to.

Why? Because they don’t like change, they don’t like complication, and they don’t think anything bad will happen to them.

Just ask yourself If you are given the option of doing the same thing in the simple and more complex way – which one would you choose. If the complex way protects from potential misuse of your data you don’t deem too personal or important, you probably will not use 2FA and will maybe try to create more complex passwords and/or use a password manager.

What if the misuse would hurt you financially? You would probably try to use the most secure option available. Which is why we don’t think twice when banks tell us we need to use complex authentication for using their apps.

How many people use 2FA?

Last year, Google revealed that more than 90% of Gmail users didn’t activate two-factor authentication.

Although to me that sounds shocking, when I take into account user habits and preferences - I understand it. Just consider the outrage against Apple when they quietly removed the option for users to disable 2FA. Note, this only happens when users first activate two-factor authentication and then don’t change mind within two weeks of activation.

Consider also this – although there is no independent research available – surveys show that up to two-thirds of people don’t use any form of 2FA, anywhere. Almost half haven’t even heard about it.

On the other hand, many would start using it if it wasn’t too much hassle, so they allow it for accounts that are more important and don’t use it for most of those they use every day, like email, social networking, games and similar.

Better safe than sorry

To me, it's clear what needs to happen. Service providers should not allow users to choose if they are going to use two-factor authentication (or multi-factor when needed). There is too much at stake for a small hassle to create a larger security problem.

But on the other hand, I completely understand their business logic. If they put another layer of complexity onto their users – their registration rates will go down, a number of transactions will go down, so as a result, their revenue will go down, and businesses which do not enforce 2FA will have an advantage.

And if we want to create a safer environment, we can’t wait for lawmakers to make 2FA an obligation. We need to be in front of that, to lead the way, and I won’t be modest and openly say – our solution is at the forefront of this change.

With IPification, service providers and users can have what they want. Our authentication solution enables users to rely on 2FA protection without added complexity – they need to tap it once or allow for it to run in the background. Everything happens in milliseconds, and the user experience within the application is as smooth as possible. Its better than using a username/password combination and much more secure.

This helps service providers not only protect their users but also increase registration and retention rates.

To me, there is no actual choice. Two-factor and multi-factor authentication is a must, and we are here to make it secure and seamless!