COMMENTARY: Multi-factor authentication (MFA) adoption remains low, even though the technology has a proven track record of preventing several types of cyberattacks. In fact, one study found that MFA prevented 100% of automated attacks, 96% of bulk phishing attacks, and 76% of targeted attacks.
Cyberattacks are rapidly escalating in both frequency and sophistication, so why hasn’t every organization already adopted this proven layer of defense?
[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
Most companies see MFA as a tradeoff: If they use it to strengthen user security, they inevitably risk introducing friction into the user experience (UX), which could negatively impact their business. They worry it could decrease their conversion rates, increase login failure rates, and even lose them customers.
But not having MFA will ultimately cost an organization exponentially more than having it. For companies grappling with the decision of whether they should invest in MFA, or add additional MFA methods to their current strategy, the answer is almost always a resounding “yes.”
Let’s explore how organizations are enforcing and incentivizing MFA—and when to take each approach.
When MFA makes sense
Building and deploying MFA isn’t free: If an organization invests in MFA, it needs to ensure that enough of its users will benefit from it. In a business-to-business (B2B) context, the most common approach is to make MFA mandatory. Large tech vendors such as Google and Amazon Web Services are headed in this direction.
In a B2B or enterprise context, mandating MFA may not hurt sales or conversions, and users will reap the benefits of better security, so it’s a win-win. Microsoft’s GitHub, for example, enforces MFA on all its users. The company limits unauthenticated requests to 60 per hour, while authenticated users have a rate limit of 5,000 requests per hour or even 15,000 requests per hour.
In a business-to-consumer (B2C) context, the question of whether to enforce MFA isn’t so black and white, and incentivization could be a better option. If organizations do opt to enforce MFA, they can do so in a few ways. They might require all new customers to enable MFA right off the bat, or they could set rules that dictate once MFA has been enabled, they can’t disable it.
For example, Apple requires its users to enable MFA before they can use certain services and features, such as Apple Pay and Sign in with Apple. Furthermore, Apple warns that if users are already using MFA with their Apple Account, it can't be turned off. Similarly, Amazon’s Ring mandates MFA for its video doorbell systems. Users must authenticate using multiple factors when they first log in to view their security footage or access the Neighbors app.
For these companies, ubiquity and market saturation mean that they don’t have to worry too much about growing their customer base and thus have the posture to experiment or even play hardball when it comes to enforcing MFA. But not all companies have that privilege, and even if they do, they may not want their messaging around MFA to be all or nothing.
The carrot-and-stick approach: Incentivizing MFA
Rather than enforcing MFA across the board, companies can choose to incentivize MFA so it’s something users want to opt into. For this approach to succeed, organizations need to focus on removing the friction associated with MFA and offering users clear benefits to boost adoption.
Epic Games offers free games users can claim once they enable MFA, and gives free in-game items to Fortnite players who secure their account with MFA. Companies like Digital Extremes, Riot Games, and Blizzard offer similar in-game perks for users who are willing to turn on MFA. But it’s not just video game companies that are gamifying MFA adoption—these methods work across other industries as well. For example, Google once offered 2GB of free Google Drive storage for enabling MFA, and Nic.ua offered a discount when the hosting provider first implemented MFA.
Companies can also incentivize MFA through UX celebrations, badges, or "well done" emails. There are also plenty of incentives that don’t cost anything, like free virtual items or other in-product benefits. And when in doubt, discounts are always a powerful motivator.
The million-dollar question: When to enforce and when to incentivize MFA?
There are a number of scenarios in which organizations should enforce MFA, namely in highly regulated industries—like finance or healthcare—in which users are accessing sensitive data like financial records, personally identifiable information (PII), or intellectual property (IP). Additionally, an organization should enforce MFA in the face of heightened security risks or in the wake of a breach.
Conversely, organizations should incentivize MFA if they’re in a crowded market, have a fledgling app or game, or want to promote a positive brand throughout user communications. Incentivization also makes sense for highly controlled, isolated networks that don't have any external connections or house any sensitive data. However, in today's ultra-connected world, these instances are increasingly rare.
Whichever approach an organization chooses, they should always focus on developing an MFA strategy that isn’t a pain for users. Companies can do this by opting for passkeys or magic links instead of prompting users with security questions or one-time passwords (OTPs) every time they sign in. While it requires an elaborate initial setup, there will be less user friction, and users will have an easier time logging.
In today’s world, robust cybersecurity is crucial. Organizations need to strike a balance between offering users a high level of security and a seamless experience. MFA doesn’t have to be complicated: Keep it simple, prioritize a low-friction UX, incentivize when necessary, and watch adoption soar.
Rishi Bhargava, co-founder, Descope
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
