Resistance To 2FA Is About Education, Says Security Expert
Users still largely ignore one of the most effective security measures available to them.
We’ve said it before, and we’ll keep saying it: two-factor authentication (2FA) works, and everyone should be using it. Yet the vast majority of people continue to use single-factor logins, despite the clear security advantages of 2FA. Why? What is to blame for the continued resistance to 2FA?
As a supplier of cyber security solutions, TMB has, of course, implemented 2FA in its own IT solutions, and we encourage our customers to do the same. We can’t, however, force them to follow our advice, even with the services we supply, such as Office 365. It costs nothing to set up and use, but ultimately such features are entirely optional.
We regularly hear from customers who have not enabled 2FA in Office 365 or who use an on-premise email exchange that doesn’t support 2FA, who have been hacked as a result. Somehow, criminals have acquired the usernames and passwords of employees (there are a few ways this can happen), and they’ve accessed accounts so they can commit fraud. We’ve seen email accounts being taken over completely, forwarding rules being set up to send emails to hackers, emails being deleted before the intended recipient can even see them and, worse, invoice PDFs being replaced by edited versions that substitute fraudulent bank details for the real ones.
On the plus side, a shock like this will likely diminish the victim’s resistance to 2FA, but that really is learning the hard way. We can’t rely on everyone being hacked before they decide to implement 2FA.
And although such cases can be useful reminders to the rest of us, we can’t rely on people to learn from the mistakes of others either. There is no shortage of stories and case studies about businesses that have been hacked, and which haven’t been using 2FA. Yet still it remains a marginal technology.
Breaking Resistance To 2FA… With A Toothbrush
According to Dr L Jean Camp of Indiana University, the problem is due to a lack of awareness regarding the actual need for 2FA. Certainly for some people, 2FA is an inconvenience, but as the Register reported, companies like Microsoft and Google have worked hard to make 2FA easier to set up and use, yet this has made a minimal difference to the number of people who actually take it up.
Video, Dr Camp says, is the most effective way to get the message across and encourage people to use 2FA. Particularly effective, apparently, was a video she showed to people, which compared reusing passwords to reusing a toothbrush to clean a toilet (arguably, that’s fine, as long as it’s someone else’s toothbrush – but we digress…).
Sadly, we don’t have that video, but here’s one about Microsoft 2FA and Authenticator.
What Might Happen Without 2FA?
Quite simply, it is much easier for hackers to get into your accounts if you don’t have 2FA. For businesses, that can quickly translate into significant financial losses, especially if they’re able to intercept the emails of high-ranking employees or those in your finance department. Every year, billions are lost to various types of invoice fraud, and not all businesses will be able to recover from such an attack.
If you’re lucky, you might have cyber insurance that covers you for big losses like this. But you might find your insurer less than willing to cough up when they discover you weren’t using 2FA when the fraud occurred.
So… one more time for the cheap seats: drop your resistance to 2FA, get it set up and give yourself a fighting chance against hackers.