Top Takeaways From The 1st Annual 2 Factor Tuesday
The First Tuesday In October Is 2Factor Tuesday
Although not as well known—or as boozy—as Oktoberfest, National Cyber Security Awareness Month (NCSAM) is soon coming to a close. Jointly assembled by the National Cyber Security Alliance, the FIDO Alliance, Google, and the National Strategy for Trusted Identities in Cyberspace. NCSAM’s mission is to remind us all to take our online security a little more seriously. To that end, they designated the first Tuesday in October as “2Factor Tuesday” and coordinated online and face-to-face events. The goal is to encourage governments, businesses, institutions and the general public all around the world to amp up their online security.
Authy was invited to take part at one of these events: a panel discussion streamed live at Google HQ in Washington, D.C., where it was emphasized again and again that digital businesses need to integrate an extra layer of security – now.
Why? Three very simple reasons:
- Users want them
- It’s good for business
- You’ll regret it down the road when—not if—you become a victim of a data breach
On the first 2Factor Tuesday, on October 6th, I sat on a panel with security leaders Brett McDowell from the Fido Alliance, Google’s Stephan Somogyi, and Derek Hanson of Yubico. Introduced by Michael Daniel, President Barack Obama’s cybersecurity right-hand, we discussed the challenges of changing login procedures, the reticence of users to adopt and deploy two-factor authentication (2FA), and what the future holds.
The very existence of a “National Cyber Security Awareness Month” in the US is a great step forward, but online security awareness is more of a daily problem that affects everyone in the world. With that in mind, I wanted to recap some of the key learnings and insights from my time there.
And, according to Stephan Somogyi, they are hostile to humans.
Every day is surprising and predictable.
The recent rash of increasingly serious, embarrassing, and business-breaking hacks and data breaches are changing the way we think and act. From Ashley Madison users being exposed (no pun intended) to the CIA director’s AOL email account being phished by a teen. Even the US Government, who you would think would be on top of it, was caught off guard by a Cold-war style agency-wide breach affecting four million government employees. Sadly, it’s no longer surprising.
The Feds have been scared straight.
Having seen their Office of Personnel Management hacked very publicly, the feds have hit the reset button. In just a few short months (which is still too long in our book), nearly every federal employee with administrator privileges now uses 2FA & around 70% of non-administrators use it.
It’s a love story.
We can’t expect every developer out there to build a secure authentication widget on their own. There would be too many bugs and too many varieties, and consumers would hate it. As security leaders, we need to make 2FA solutions easy for developers to integrate, deploy and fall in love with. Winning the “hearts & minds” of the developers, who typically make security recommendations to their bosses, is the key to seeing 2FA scale.
But it’s also a story of convenience.
A key to wider adoption of 2FA is to give users a seamless login process. Too many bells & whistles and it’ll never get off the ground. But superb protection paired with an amazing UX? Done.
These aren’t your father’s cybercriminals.
Stop imagining a guy in a dark basement hunched over a laptop. Today, hacking is run like a business, and we need to treat cyber crime like it’s organized crime.
Someone called the FBI.
The FBI sent out a bulletin urging small businesses and their customers to protect themselves by adopting 2FA. Appropriately, this comes just a few months after the FBI itself was hacked. As more criminals use social engineering, password guessing, keyloggers and other technical tools to hack online accounts, consumer education on these vulnerabilities is key.
Trust is in jeopardy.
When it comes to digitally storing and transmitting personal information, the frequency and severity of recent data breaches could scare consumers away. If easy-to-use security measures aren’t put in place soon—and put in place across the board—everything from online and shopping, to banking, education, and use of digital medical records is at risk.
Change should be a non-issue.
Why are organizations asking consumers if they want to have better, easier-to-use security? If you require – and enforce – 2FA for account set-up and high-risk transactions, people won’t need to be educated on the benefits, they’ll just be happy their information wasn’t compromised.
Nothing happens until something moves.
If possible, we all take the path of least resistance. Governments, hospitals, learning institutions and small businesses are no exceptions. They stick with what they know, fearing that a move away from the simplicity of passwords will lose them customers or market share. But as the ball starts rolling, and more and more organizations start making the switch to 2FA. The reasons to stay the course get weaker & weaker, especially when 2FA provides a simpler and more intuitive user experience.
The opportunity is vast.
A majority of online services are still unprotected. As a consumer, I find that scary. So should you.
There will be blood.
As Michael Daniel said in his introduction to 2Factor Tuesday, “a world in which we’ve killed the password is a better world.”
So, while tons of businesses go unprotected, and the media is rife with stories of domestic and international actors doing bad things with good people’s data, 2Factor Tuesday brings us one step closer to an increasingly aware and protected digital landscape.
Who knows? Maybe next year, we won’t even need a National Cyber Security Awareness Month. But we’d like there to be one anyway. Watch the entire panel discussion in the video below.
Marc is a seasoned entrepreneur with 30+ years computing experience including 25+ years with start-ups. He has founded and financed four start-up software companies in electronic medical records, authentication, and identity management and successfully completed the sale of the most recent one, Authy to Twilio and before that, Passlogix, to Oracle.
After leaving Oracle, Marc returned to the start-up world to help lead Authy, a two-factor authentication (2FA) as a service vendor, generating nearly 4x growth in the first year, resulting in more than 11,000 protected apps and more than 2 million users. He’s currently the VP & GM of Authentication at Twilio following the acquisition of Authy where he was President & COO.