No data is 100% safe online, but doing nothing is the worst way to protect it.
Yet doing nothing is precisely what companies offering optional two-factor authentication are doing. No matter how much you stress the importance of turning on 2FA, given the choice between something that takes no effort versus something they have to seek out intentionally, most of your customers will choose the former — effectively making your 2FA useless.
2FA should be mandatory in order to increase security for both you and your customer. Done right, it doesn’t have to be a deal-breaking decision for your customers. Simple implementation provides both peace of mind and a frictionless onboarding experience for your users, while making sure you’re taking the necessary steps to guard against a data breach.
Why 2FA has to be mandatory
Security breaches are becoming more and more common.
In 2014, JP Morgan’s failure to implement 2FA on one of its servers led to a security breach where hackers stole data from 83 million of its customers, simply by using one employee’s login credentials.
“The attackers stole the login credentials of a JPMorgan employee and were able to access the server, despite the company’s practice of using two-factor authentication on most of its systems.”
Most being the operative word. A lack of mandatory 2FA throughout the entire network led to a devastating data breach. This significant loss could’ve been prevented by simply adding an extra layer of authentication.
According to the FBI’s report from 2016, the top 10 types of cyber crimes that resulted in financial loss included both personal and corporate data breaches that each cost $59 million and $95 million for customers and companies, respectively. Combined, the total loss that resulted from data breaches alone is worth more than 38 times that of other types of crimes, like virus and malware put together.
While there’s no guarantee that you won’t be targeted by an incredibly skilled hacker, 2FA can help secure your data by working as an additional layer, meaning a hacker would need both your password and your device — such as a phone or tablet — in order to access your account.
The arguments against 2FA often have to do with its execution rather than its security benefits:
- It’s difficult to implement for developers—engineers have to code in extra security features when they should be concentrating on product.
- It increases friction for customers—customers will eschew 2FA if it’s optional, or not complete onboarding if it’s mandatory.
The easy option is to then have no extra authentication at all, or optional at best. But this opens you to the mistake that JP Morgan made—optional is the same as none.
The good news is that everyone wants to protect their private data. No one is against the idea of increased security itself, as long as they understand why it’s necessary and know that it’s easy and convenient to take the required precautions.
That’s why in order to engage customers in the 2FA process, simplicity is key.
Provide all the tools and information necessary
When you equip your customers and engineers with everything they need from the start, it makes 2FA a valuable, quick and frictionless experience for both.
As humans, we suffer from the ambiguity effect. Given a choice, we’re more likely to choose the option we know most about rather than risk the unknown.
So when we’re offered optional 2FA, we’ll choose not to use it unless we’re also provided with some context as to why it might be a good idea. This explains why optional 2FA has such a low-engagement rate among most customers.
When social media app Cluster first launched, it asked users for permission to access various private information without any explanation. The result was that only 30-40% of users gave access. But after changing the process to include specific information, they were able to increase the acceptance rate from 40% to 60%.
On the user side, it’s essential to provide a little context, so that the customer understands why 2FA is important and why you’re asking for their phone number. Once they know it’s only for extra security benefits, they’re more likely to opt in willingly.
All you need to do is add a little text to the UI dialog that provides a bit of information about how 2FA helps to keep their personal information safe.
Just as customers can suffer from the ambiguity effect, so can engineers. On the back-end, engineers may think 2FA implementation will take up a lot of their time and energy.
However, advances in technology mean that implementing a smooth 2FA process is as simple as dragging and dropping the code into your app or anywhere else as a plugin.
By providing tools like RingCaptcha to engineers, you can save time and prevent them from having to come up with their own codes, decreasing any resistance to 2FA implementation.
Make it a fundamental part of the onboarding process
Whenever a new user signs up for an account is the best time for optimal 2FA activation. Although companies like Google, Twitter and Dropbox all offer 2FA, the fact that they already had millions of users using only a password for login means that those users may not even be aware that they are now able to activate 2FA.
Onboarding with 2FA can be as easy as a single screen prompt for the customer.
Even if they knew, it can feel like even more of hassle to turn it on manually by following instructions that they need to search for. A much better way is to put it out of the way during signup, so users don’t have to spend time looking for information.
As mentioned above, the onboarding process also gives you the chance to explain why 2FA is necessary for increased protection against potential breaches. A customer who is simply signing up for an account without highly sensitive data might find it overkill, not aware that hackers could use the account to gain access to other sensitive data, or that they could become the target of phishing scams.
The Stanford IT department does an excellent job of explaining 2FA to users by using a simple analogy to help them understand the process better.
“A good way to think of two-step authentication is like keeping a safe in your house. Your front door has a lock on it (password) that keeps your things safe. Some of your possessions — such as a passport or heirlooms — are too important to be trusted to an ordinary door lock. You keep those items securely inside your safe, requiring a would-be thief to get past both your front door and your safe’s lock before they can steal your most valuable possessions.”
– Stanford IT
Everyone understands why putting valuables in a safe is better than simply putting it somewhere in a locked house.
Using relatable language can help non-technically-inclined users to engage at a higher rate, since they now possess sufficient knowledge on the topic to make an informed choice.
Offer flexibility for customers
Mandatory doesn’t have to mean inflexible. While 2FA can be mandatory for all users, its frequency and devices don’t have to be. Providing customers with options will give them a greater sense of control, decreasing any resistance to mandatory 2FA.
For example, Google allows users to choose from several different backup options in case their primary 2FA device (usually a phone) isn’t available for some reason. In addition, it also prevents users from having to go through 2FA at every sign-in by limiting its use to new devices only. This allows safety-inclined customers to choose to use 2FA upon every log-in, while simplifying the log-in for customers who consider this to be a hassle.
Another thing Google offers is an option for a backup device, so that customers who’ve lost access to their primary device aren’t locked out. This can be another device, or a series of codes the user can use instead.
Ultimately, the most important thing is to get started with a simple 2FA sign-up process. After you set it up as part of the onboarding flow, you can then expand to create more flexible options for the customer, so as to reduce friction for those who may see the frequency as a hassle, or have limited access to their primary device.
Mandatory 2FA doesn’t have to be complicated
By providing more relatable context, offering choices and making it simple for customers to use 2FA, companies can benefit from increased user engagement which will in turn boost security against potential hackers. For customers, an easy mandatory 2FA login provides them an additional safety net over their personal data.
Implementing 2FA with RingCaptcha is as simple as copying and pasting a few lines of code, which pales in comparison to its effects. By making its use mandatory, it will help your company guard against a potentially devastating loss of data in the long run.