Is Two-Factor Authentication Necessary? How Do I Get My Employees to Use It?

Contributing writer: Ahmed Muztaba

Why is two-factor authentication necessary?

Today, nothing is more valuable than information. Because the majority of online content is behind the lock and key of the so-called “deep web,” it’s no wonder that hackers are more interested than ever in ferreting out secure information. Today’s great heist doesn’t require a cat burglar. A mouse is easier to maneuver.

Two-factor authorization (or 2FA) arose as a bulwark against the hijinks of Internet pirates whose Trojan Horses and phishing scams were netting easy prey. The premise is simple: by requiring a second layer of verification, it makes your data twice as hard to access illegally. You can see this everywhere; from the chip-and-pin credit card requirements to the “secret questions” that some websites require their users to answer.

By reducing the points of vulnerability in your company, both company and employee sensitive data can remain far less likely of being breached. Requiring strongly-typed password used to be enough, but with the increase in computing power and prevalence of botnets, a person or organization with malicious intent can have an immense amount of resources to harness. This means that once touch-to-crack passwords are now much easier to crack. By requiring a second layer of authentication that requires a code to be entered within a given amount of time before expiring, this can greatly prevent widespread damage.

Kinds of authentication

Not all 2FA models are created equal. Combining any two of these creates two-factor authentication. Let’s take a look at the kinds of authentication used in 2FA: knowledge, device, or biometric.

An example of this is requiring users to enter a random string of digits from a number-generating key fob in addition to a password. Medical offices have been a good example of providing these key fobs to personnel who need to access record rooms or sensitive patient data on a server. Because the key fobs generate new digit codes every 30-60 seconds, the likelihood of them getting hacked is small. Combined with a personalized passcode, users access the data in a more secure fashion.

What are employees’ concerns?

While two-factor authentication makes browsing the World Wide Web safer, it can also create headaches for employees who were used to just entering a password to login at work. From the perceived extra time it can take to login and start being productive, to the greater likelihood of something going wrong (entering twice the information means double the chance of mistyping), employees can have a host of concerns and worries regarding 2FA.

Two-factor practices can hinder the user experience. Employees may need to keep a device, like a key fob or mobile phone, and have it with them whenever they want to log on, which can be frustrating if a device has been lost or stolen. Some also may question the security of the methods of two-factor authentication themselves. While no data is 100 percent secure anywhere, two-factor authentication has undoubtedly made sensitive information more secure: officials blamed the lack of 2FA for the Dec. 2014 security lapse that led to the hack of 83 million JPMorgan Chase customers.

As with everything, there are learning curves to implementing 2FA. Employees, especially those who don’t handle sensitive information, may not understand the necessity for it. One study found that 74 percent of companies that employ two-factor authentication practices had employees who were frustrated with 2FA.  There are several concerns that, if communicated correctly, can help your employees to better understand why two-factor is so imperative.

How do we get employees on board?

• Explain the benefits of two-factor authentication. It takes just one employee to leave an entire company at risk – that means that sensitive data like company secrets, payroll, benefits information, salaries, Social Security numbers, and HR files could all be vulnerable. Nobody wants to be the victim of identity theft.
• Make the process easy. Usually, the best way to roll out a two-factor authentication system is to use a mobile phone app or text message prompt as the second form of verification. Because employees today are never far from a phone, using a text message form of ID means they don’t have to buy a new device to log in.
• Roll out the process gradually, if you can. Start with the staff that handles the most sensitive data and move outward. The goal is to get every member of your organization on board with as little hassle as possible. If too many people begin at once, the workflow could be harmed. Instead, let institutional knowledge of the new process build from the ground up. As more employees come on board, they can help train the next wave.
• Provide lots of assistance and lots of assurance. Computer problems are really just frustrations in disguise. Understand that change is hard and doesn’t come easy. Reassure employees that this simple process is in their best interest.

The above guidelines are suggestions on how to inform those who will be impacted by this chance. By better preparing and educating employees, companies can increase the satisfaction among its users who use 2FA. Two-factor authentication implementations don’t have to be hard! By communicating the benefits, you can educate your users all while securing your data.