Does 2-factor authentication really keep you safer?

FeaturedMoneySmall BusinessTech

Written by:

There’s an old saying: “Locks are for honest people.” The idea is that a competent crook can break in no matter what you do, but that doesn’t mean you don’t try to make your home as secure as possible. When it comes to online security, two-factor authentication (2FA) is the cybersecurity equivalent of a door lock. 

Like a lock, 2FA isn’t guaranteed to protect your possessions, but it provides a fair amount of protection for relatively little effort.

Despite strong arguments for 2FA (protection against hacking, spearphishing and identity theft, among many other threats) corporate adoption just isn’t there. A 2017 study by security firm Duo revealed that just 28% of consumers use 2FA, and that its implementation is decreasing. Of greater concern is a recent survey of the U.S. State Department (a white whale for hackers) that showed that only 11% of devices used there are protected with 2FA.

What is two-factor authentication?

Despite sounding sophisticated, two- (or multi-) factor authentication simply means using more than one form of identification to access an account. Using a PIN at an ATM is the most common example: You need a card and a data point (ideally) known only by you. Other methods include a security code delivered via SMS to a mobile device, or gaining access to an account only after answering security questions (favorite movies, birthplaces, etc). Keep in mind, though, that the answers to security questions are among the data “out there,” that is leaked in this or that compromise. It may even be posted on public-facing social media accounts, so you might want to make up new answers. In other words, lie (but make sure you remember what you said).

Why use it?

A login and password combination is a flimsy shield against cyber attacks, especially when you consider that “password” still tops the list of commonly used entry codes (along with “qwerty” and “1234567″). 81% of Americans re-use the same password across multiple accounts. Finally, hackers on the dark web sell millions of additional login and password combos. 

With all this in mind, and taking into account that a company data breach cost $3.62 million on average in 2017, it’s probably a good idea for business owners to ask themselves how safe their company’s data is and how long it would take a vaguely committed hacker to access it.

All too often, the answers to these questions are, respectively, not very and not long.

Is two-factor authentication really that easy to implement?

Not exactly. Using a door lock is easy, but installing one isn’t. Imagine being tasked with installing a new, unique lock on the front door of every office in your company. Big job. 

Setting up two-factor authentication at a workplace requires using either an in-house custom solution or bringing in an external service, neither of which is foolproof. Both also depend on user participation. 

Setting up a proprietary 2FA program at a business requires that all employee information needed to set up security question-based 2FA has been collected and/or devices in the possession of employees are updated and secure. Once this is accomplished, you need a secure server to authenticate users (no mean feat), and to catalog every personal device connecting to the network. You also need to log biometric information (if that’s being used), physical security devices, etc. 

Requiring a security key or text message for every login is not easy to implement. Business would grind to a screeching halt if everyone had to be in compliance with such a stringent cybersecurity protocols at all times. If 2FA is optional, you can be sure it won’t be used. You may have IT workers available to implement it, but they’re probably already overworked

If developing and implementing a 2FA program sounds daunting, there’s another option. There are a great many third-party cybersecurity experts out there. The deployment of a service can save time and headaches, but the more people involved, the larger your attackable surface. 

If a single small business stands a roughly 50% chance of being attacked by hackers, a company with access to the networks of many companies makes an even more tempting target. This train of thought must be part of your cyber risk assessment. One weak link renders a company vulnerable to a breach; the more links in the chain, the more likely there’ll be a weakness. It is crucial to vet third parties as if your survival depended on it… Because it may.

Too little, too late?

It may be too late for certain forms of 2FA adoption, because hackers have already had a few years to get around them. The U.S. National Institute for Standards and Technology (NIST) recommended in 2016 that companies stop using SMS as a second factor due to the relative ease of hijacking smart devices and intercepting the security codes sent to them. 

Researchers have found ways to circumvent Paypal’s 2FA, as well as Instagram and Google’s respective 2FA methods. Finding out about vulnerabilities in a system well before having the time or inclination to act on them can cause a collective “why bother?” attitude, since getting hacked is more of a “when” than an “if.” Most organizations usually look for guarantees before spending time and money on a security solution, and something that already has a variety of potential workarounds can be a hard sell. 

Additionally, 2FA can actually expand an organization’s attackable surface, and not just from a supply chain standpoint. Requiring someone to have two different types of login means that you’re opening up two different ways to reset or restore access. People forget their passwords, lose their cellphones, and change security question answers all the time.

Anyone administering a site or network needs to have a contingency plan in place in case someone cannot provide authentication data. That possibility provides yet another vulnerability for hackers to exploit (and be a productivity killer for talented, yet forgetful employees).

Is it worth it?

Yes. If implemented properly, 2FA offers a good baseline defense against cybersecurity and does help remove some of the lowest hanging fruit for hackers. 2FA is not a guarantee that you won’t get hacked, but it does remove a tempting opportunity for unwanted intruders. 

It also serves as a good cybersecurity lesson. No solution is 100% hassle-free or breach-proof, and it’s only going to be a matter of time before someone figures out a way around whatever protections you have in place. Instead of looking for a silver bullet, businesses should look at tools like 2FA as part of a layered approach to security, like locking a door or arming an alarm. Minimizing your risk isn’t the same as eliminating it entirely, but it’s what we have to do to keep moving forward.

This article originally appeared on and was syndicated by

Featured Image Credit: