The Best Time to Integrate Two Factor Authentication
Before the Hack, After the Hack, or Nah?
“When should we add two factor?”
Every engineering team I speak with has that question. A few folks have an answer, but what’s even more troubling, is that no one even has a process for this decision. Dev teams have no clue where to start.
Two factor is too important to be an afterthought, so I thought I’d compile some best practices from my experience helping teams figure out when it makes sense and when it doesn’t. There are really 3 times when it makes sense to add two factor: after you get breached, before you get breached, and, well, never.
After you get breached
This one is a no-brainer. Breaches suck. When they happen you usually lose assets, users, and face. Two factor auth helps remedy each loss. Public facing security deployments help reassure user confidence while also improving site wide security. At this point, you’ve got a bunch of different fires to put out, so you might as well use one api to tackle all three.
Before you get breached (This is the pro move)
For all the pros out there who prefer to prevent messes instead of clean them up, this is the criteria I walk through with my clients to determine the urgency of an integration. It’s a simple acronym named CRAFT that helps you gauge your operational risk.
Customer. If your customers are developers or other technical crowds who have high security standards, you’re going to want to integrate two factor. If you service nontechnical folks, your customers won’t demand two factor as much.
Regulation and Compliance. If your business is subject to HIPAA, PCI DSS, FFIEC or any other mandate for security standards, you should absolutely offer two factor. Otherwise, regulation isn’t a problem for you.
Assets. If you store personally identifiable information, currency, or any sensitive information, you should add two factor to your next sprint. However, no need to rush on adding two factor if you don’t store valuable information.
Fraud. If your platform is prime for fake accounts, fraudulent transactions, spam or other abusive behavior, you’ll want to integrate two factor. If your platform is immune to those attacks, then fraud isn’t a problem for you.
Transactions. If your service permits users to transfer value or abuse coupons/promos, you should look into adding two factor. If y’all don’t transfer value, then transactions don’t increase your operational risk.
After working through the criteria, most clients develop a pretty clear sense of urgency around this critical piece of infrastructure. Some folks, however, find that their business doesn’t experience any of the above operational risk factors. Those companies are the ones who I advise to never integrate two factor.
Never
I’ve met a bunch of companies who would actually be better off not integrating 2FA. These folks don’t meet any CRAFT criteria. A few other things often differentiate their business:
Trust
- Their service requires little to no user trust in brand reputation
No user accounts
- They don’t offer user accounts
Engagement
- Customers don’t login to their site more than a few times in a complete lifecycle
Companies in this boat have an operational risk profile so low that it doesn’t justify the dev time or cost. Weird as it may seem for someone who sells two factor, I advise folks like this to never buy two factor until their business model changes.
Conclusion
If your business meets a couple criteria of CRAFT, you might want to consider putting it on the product backlog. You might have a bit of trouble getting buy in from the brass, but working on your persuasion skills as a developer can be rewarding. If you have a 5 alarm, full-on CRAFT-carrying business, you should definitely look into tossing in two factor stat. The methodology I outlined is meant to help you, but at the end of the day, the question of two factor is really about whether you prefer the ounce of cure or the pound of medicine.
Darrell leads BD at Clef. If two-factor authentication has been in your backlog for months, but still hasn’t gotten prioritized, check out Clef’s new product Instant2FA.com — it’s two-factor authentication that takes minutes to integrate instead of weeks.
