Everybody Should 2FA
While the enterprise and governments have entire IT departments in place to combat cyber crime, the typical small business owners and the everyday internet user is left to fend for themselves in what is essentially the wild west.
Bad actors have clearly found a sweet spot in human behavior, and are exploiting individuals in cyber attacks of a scope, severity, and variety unimaginable just a decade ago. Whether it’s clicking on undetected malware links, using unprotected wifi, falling prey to ransomware, or being manipulated through social engineering, getting hacked has become all too familiar.
Look, nobody is immune to a cyber attack. It’s not “if” you’ll be hacked, it’s “when” — which is why you need to have a good defense. The problem is that many people simply haven’t yet embraced that mentality.
As a security professional, I’ve worked at companies like Oracle, Microsoft, and Okta, and I’ve spent a lot of time understanding and architecting solutions to secure all sorts of information. Currently, I’m the Director of Product for Authy, Twilio’s two-factor authentication product, and I work in close collaboration with an international team to deliver a world-class security solution. But no matter how strong or simple a solution is, if end-users don’t enable two-factor authentication because they’re not familiar with it (or perhaps they think it’s too difficult to use), they’re leaving themselves open to an attack.
Retrench & Relaunch
Authy’s website has always been robust with information, but content for users of the Authy app was found alongside business content for the enterprise and API tutorials for developers. In an effort to do a better job at spreading the word about 2FA, while meeting the needs of the enterprise and developer audience, we knew we had to blow things up and retrench. In doing so we’ve relaunched Authy.com.
As Authy is a brand within Twilio, businesses and developers using Authy for their customers are, by default, Twilio clients. Moving forward, all materials like use cases, customer stories, API tutorials, and pricing is located in the two-factor authentication section of Twilio.com, exactly where businesses expect to find this information.
Users, on the other hand, will have an entirely new Authy experience with more consumer-friendly blog articles and new guides on how to download and enable 2FA security for a variety of popular websites and applications. And we’ll be adding more guides every month.
For those who don’t exactly know what 2FA is, we have easier-to-understand content. The new Authy.com is, like the Authy app, focused on better user experiences. Visitors will be able to learn about how our multi-device feature makes their lives easier, and how cloud backups work to solve many of the problems people have had with other security apps like Google Authenticator. We even help users evaluate whether they’d be better off with Authy 2FA or Google Authenticator.
Changing Behavior
People’s behavior is the most difficult hurdle when it comes to security, for two reasons:
- They want to be secure but don’t want it to impact how they use their devices.
- They continue to use poor or light security, even knowing the stakes. Here’s proof: for the past four years, the most popular password was “123456.” Before that, it was “password,” currently the second most popular. We doubt that this will change in 2018. But what will change is that by 2018 cyber criminals will be able to brute force any password that could possibly be remembered by a human. Clearly, “stronger” more complex passwords are not only a burden on the individual user, but also nearly ineffective at protecting them.
Creating a secure system – that is also easy to use is – is the difficulty. That balance between usability and security is a constantly changing target and, when the needle moves too far in either direction, the result is either too weak or too complex.
Part of Authy’s challenge is to solve this problem while motivating user adoption. You’d think that in this day and age nearly everyone on the web would be using 2FA to protect themselves, but many still haven’t gotten the message. The unfortunate truth is that the general public will probably only start to take 2FA seriously after they’ve been hacked. Security is like insurance: you don’t realize you need it until you need it.
How do you motivate adoption?
As companies and websites (and even governments) struggle with more frequent attacks, we’ve seen a few trends emerge as application owners try to nudge user into better protecting their information. These fall into three camps:
- Mandates. Some sites don’t give users a choice. Take a look at Coinbase, for example. If your Coinbase account is compromised, you’ll lose money. So 2FA is mandatory. No discussion. You must use 2FA to access your online finances.
- Frequent Reminders. Protecting your customer’s accounts also protects your business. Businesses have taken to regularly reminding users to enable 2FA. Every time a user logs in, they are reminded that they’re not as secure as they could be, and are prompted to enable 2FA.
- Scare tactics. You’ve seen the horror stories shared on social media. There are many examples of people who lose access to their accounts on Twitter, Facebook, LinkedIn—the list goes on and on—only to realize that 2FA was available on those sites, but never enabled by the user. Sharing these stories provides examples of “this could happen to you.”
Everybody Should 2FA
Our belief is —and has always been— that everyone should change their passwords, not reuse passwords across sites, and turn on two-factor authentication wherever it’s available. And we’re hoping the new Authy.com helps get that point across.
That’s why our new mantra is “Everybody Should 2FA!” Check out our new video to learn more.
For the rest of 2017, we’re going to continue to focus on improving the Authy app experience. Stay tuned, as we’ll be rolling out more updates in the coming weeks.
Care to join us? Find us on Facebook, Twitter and Linkedin and leave a comment below about your 2FA experiences!