Why Teams Don’t Integrate Two Factor Authentication

The Cognitive Biases Behind Bad Security

We all know that two-factor auth is a virtual necessity nowadays, yet a bunch of companies still haven’t hopped on.

What gives?

From experience, I can tell you that the folks making these decisions are smart, rational folks. There are a bunch of different reasons I hear for lagging behind, but I’ve rounded up the most popular.

Two Factor will reduce signup rates (Deprival super-reaction tendency)

• Misconception: Adding an additional hurdle to their signup flow will limit overall throughput.
• Reality: Most folks keep their registration flow exactly the same while adding two factor as an opt-in feature. This means that there’s no extra hurdle for registration, but security conscious customers can still enable two factor at their convenience.

Two Factor will increase churn (Confirmation bias)

• Misconception: Clunky codes, additional devices, and the occasional account lockout will annoy my users away from my site.
• Reality: There are a bunch of different two factor solutions that streamline the login flow and/or offer BYOD implementations. Back up codes are pretty ubiquitous so users should always have a way in. Furthermore, with opt-in two factor deployments, only those users with an appetite for more security will endure the added protections.

Two factor auth still isn’t bulletproof (Misinformation effect)

• Misconception: Two factor authentication is easily comprised and offers little actual protection for my customers.
• Reality: While two factor authentication is no panacea, it certainly protects against the most common ways attackers compromise accounts. And two factor is not created equal. The spectrum between SMS, TOTP, PKI, and Hardware token allows you to choose what degree of protection makes sense for your use case.

Not a priority (Hyperbolic discounting)

• Misconception: We don’t really need this security feature since no one is asking for it and we don’t expect to get hacked anytime soon.
• Reality: Customer feedback works great for feature additions but falls short for critical infrastructure enhancements. Your operational risk, not your customers, should be your barometer for determining when is the right time to add two factor.

Integration too time consuming and difficult (Ambiguity bias)

• Misconception: A two factor integration would take me weeks to ship and require me to build out support for a lot of edge cases.
• Reality: While most integrations do require a little time, there are providers that build two factor that you can ship in 15 minutes.

These are the most common concerns I come across. As you can see, most of them are rooted in unfounded fear and general misunderstanding of the product, market, and functional necessity of two factor.

See something I missed? Reach out and let me know!

Darrell leads BD at Clef. Their new product — Instant2FA.com — helps you integrate two-factor authentication in minutes instead of weeks.