How to get people to adopt 2FA

Two-factor authentication (2FA). You’ve heard about it, nagged about it (or have been nagged about it), but let's face it—getting everyone on board with an extra login step feels a bit like herding cats. Who’s using 2FA—and who’s not? Why is it so hard to increase adoption rates? What makes 2FA essential? And most importantly, how can you get users to adopt 2FA?

The state of play in 2FA adoption

2FA adds a critical second layer of security, making it significantly harder for attackers to gain unauthorized access, even if they have compromised a user's password. This additional step can effectively block the majority of cyber-attacks, especially those that rely on stolen credentials​.

So, how are we doing in the grand scheme of things? Despite the mounting threats and horror stories of security breaches, the adoption of Multifactor Authentication (MFA) is still playing catch-up. Recent statistics suggest that while awareness is high, actual use hovers around just 50-60% in various sectors. One could attribute this lukewarm embrace to the "it won't happen to me" syndrome, or maybe it's just the added friction people anticipate with security practices.

The uphill battle of 2FA adoption

Why is getting people to activate 2FA so challenging? While users generally acknowledge the additional security layer that 2FA provides, many are deterred by the perceived inconvenience it introduces. In a world where many value efficiency and speed over added security measures, the extra steps required by 2FA can seem daunting. Surveys indicate that the primary user concerns revolve around the additional time taken during login and the chances of account lockout due to lack of access to phone or second email address.

This “inconvenience” is understandable (and compounded) in organizations that heavily use social media platforms, where multiple individuals share a single account. For example, when a user in Mexico City wants to post to X (Twitter) at 3:00 PM, but the 2FA verification is sent to a user who’s fast asleep in Paris, where it’s 10:00 PM, frustration results.

There’s a psychological barrier, too

And finally, resistance to 2FA often stems from a psychological aversion to change and an underestimation of risk. It’s true—we’re notoriously bad at assessing risks. For example, I’ll bet you didn’t know that you’re more likely to die from being hit by an asteroid than from a shark attack, did you? When applied to cybersecurity, people simply tend to underestimate the risk of financial loss or reputational damage. For example, 60% of small businesses (73% of sole proprietors) falsely believe they are too small to be targeted—yet 46% of all cyber breaches affect companies of this size.

The "it won't happen to me" mentality is prevalent, leading to complacency that can have severe consequences in the event of a security breach.

The business case for 2FA

Whether caused by complacency or convenience, foregoing 2FA is risky business. The stakes are high for businesses. Microsoft reports its systems are subjected to over 1,000 password attacks every second, demonstrating the relentless nature of cyber threats. Crucially, more than 99.9% of compromised accounts do not have MFA enabled.

A single breach can lead to significant financial losses, damage to brand reputation, and loss of customer trust. Multifactor authentication is one of the most basic defenses against identity attacks today. 2FA can block 100% of automated bots, 96% of phishing attacks, and 76% of targeted attacks. Therefore, encouraging 2FA adoption is about safeguarding the entire business ecosystem.

Listen to social media expert Melissa Nanavati share how she gets buy-in from executives and marketing teams to turn on 2FA for their social media accounts in this episode from Cerby’s podcast.

Companies must address both the human and technical factors influencing 2FA adoption to create a more secure environment. Efforts could include:

• Education and simplification
  One of the most effective strategies is to demystify 2FA through education. Businesses can alleviate fears and misconceptions by explaining the functionality, benefits, and critical role of 2FA in simple terms. Simplifying the enrollment process and providing clear instructions can also remove barriers to adoption.
• Incentivization and enforcement
  Incentives can play a crucial role in encouraging users to adopt 2FA. Whether through rewards for enabling 2FA or penalties for failing, incentivization helps shift user behavior. Some sectors, especially financial and healthcare, are moving towards making 2FA mandatory, a trend that might set a new standard across industries.
• Technological innovations
  Advancements in technology are making 2FA more user-friendly and less intrusive. The emergence of push notifications, biometrics, and hardware tokens as verification methods offers users simpler and more convenient ways to secure their accounts without significantly disrupting their workflow.

How Cerby can help

Cerby provides identity security solutions that secure how teams, contractors, and external agencies access shared logins and manage nonstandard applications across various business functions. These solutions include automating critical security tasks such as onboarding, offboarding, and enforcing 2FA for shared accounts.

One of Cerby's strengths is bridging the gap between standard identity providers (like Okta and Microsoft's Azure AD) and nonstandard applications that are typically challenging to manage within traditional IT security frameworks (like social media accounts). By doing so, our solutions reduce the need for manual security interventions and diminish the risks associated with SaaS apps that are not centrally managed. Curious to learn more about Cerby? Reach out to our team with your questions or to schedule a demo.