If your organization has been dragging its feet on two-factor authentication (2FA) because "everyone will hate it," then you will want to invest the next two minutes in this story.
Two categories of 2FA implementation
Researchers at Carnegie Mellon University recently implemented 2FA on their college campus, so students used a password and an app on their phone to authenticate themselves and gain access to the network.
And guess what?
Surprise! They did not hate it.
Two different scenarios applied:
- Students who have jobs on campus and access to the university payroll system were required to use 2FA.
- Other students were encouraged, but not required, to sign up for 2FA.
Reaction from students to two-factor authentication
Student surveys revealed the following types of comments:
"It's not actually that horrible."
"It's like locking your doors at home or for the car when you leave, it's a pain but something you have to do."
From teenagers and 20-somethings, that is practically a ringing endorsement, is it not?
Key lessons Carnegie learned from 2FA implementation
Researchers at the university's CyLab say most of the negative comments came from implementation problems, issues that got ironed out after a bumpy start. And here are the takeaways from implementing two-factor authentication on campus:
- The majority of 2FA adopters found the process annoying but fairly easy to use, and believed it made their accounts more secure.
- Many adopters of CMU's 2FA had such a positive experience using it that they adopted 2FA for other accounts of theirs. However, due to some implementation problems during CMU's deployment, some users disliked the experience and said they wouldn't adopt 2FA for their personal accounts.
- The differences between users who were required to adopt 2FA and those who adopted voluntarily were smaller than expected.
"The surprising thing is that the reception of 2FA wasn't as bad as we thought it would be," says Jessica Colnago, a CyLab Ph.D. student in Societal Computing who led the study. "We thought people would resent 2FA."
"If you deploy it well, enforcing adoption won't yield the awful responses you might expect, and it will help break the preconceived notion that 2FA is awful. The security benefits will outweigh any backlash you'll receive."
Threat landscape may push more universities toward 2FA
Mary Ann Blair, Carnegie Mellon's Chief Information Security Officer, says the decision was made to implement 2FA to better protect the school's data and credentials. And the need to do that is growing.
"Phishing attacks in particular were (and are) increasing in frequency and sophistication, putting more people at risk for divulging passwords," she says.
Phishing seems impossible to stop, but 2FA can help cut down on the number of students and employees who take the bait.
