One of the key rules of economics is “there are always trade offs”. This has proven to be the case in the realm of internet security, where advances in technology have required changes to the way people interact with websites. Organizations that operate online have a vested interest in ensuring the security of their sites, but it is important to carefully balance security concerns with the overall usability of a website. Additional security measures can have a negative effect on a company’s bottom line if the security features deter users from visiting the site. Websites that are trying to decide if they should implement two-factor authentication on their websites are faced with a tough decision on if additional web security is worth the trade offs.
Two-factor authentication is a security measure where users have to use multiple identification systems when they want to access an account or certain account settings. The factors can be a combination of password or pins; tokens or smart cards; and biometric data like fingerprints. According to SafeNet, a data protection company, “Because multi-factor authentication security requires multiple means of identification at login, it is widely recognized as the most secure software authentication method for authenticating access to data and applications.”
Recently, Twitter added a feature where users can choose to require the entry of a code they receive via text message each time they log into Twitter. There are similar systems available for Apple, Google, Bank of America, and other large companies. The main benefit of such systems that it would prevent unauthorized access to accounts by people who had only managed to compromise the credentials. In fact, the cell phone holder would become immediately aware of the intrusion because they would get an unexpected text message about logging in to their account.
The security firm Impermium recently released a report that may help website administrators decide if they want to adopt a two-factor authentication system for their site. The issue is whether or not two-factor authentication will be too annoying for potential website visitors. The study noted that about 1 in 4 Americans (27 percent) decided against signing into a website that had a two-factor authentication system. Either because they didn’t want to disclose their mobile number or because they found the system inconvenient. This is why it’s easier for a large company with devoted (or captive) users who are willing to go through the extra steps. Apple is less concerned about people switching from iTunes than smaller internet retailers. Smaller sites risk alienating potential clients if they implement a security system that is too much trouble for customers.
“Despite heightened awareness of cyber threats and a clear demand for account protection, Americans are still hesitant to adopt new prevention techniques,” said Mark Risher, CEO of Impermium in a press statement. “Two-factor authentication has been held aloft as a ‘silver bullet,’ but a security system that isn’t turned on provides no security. Only with intelligent, risk-based authentication mechanisms can service providers effectively protect users from account hijacking. Consumers and websites need an intelligent solution that is secure yet simple.”
Acceptance of two-factor authentication may increase as people become more familiar with it. In the Impermium study, only 25 percent of respondents had ever used a two-factor authentication system, a percentage that will certainly increase as other large companies begin to implement the technology.
Two-factor authentication is extremely problematic for companies that have multiple employees who need to log into an account, or when an organization utilizes an outside company to handle a web-based account. To illustrate, if a social media company needs to access a Twitter account for a company than work for, they would have to constantly use the cell phone holder as an intermediary whenever they wanted to log into the account. This can lead to inconvenient delays and lot of extra messaging that many brand managers would find annoying.
In the end, balancing security features with website usability can be tall order. Apple tried to balance the issue by making the two-factor authentication feature optional and only applying it in certain situations; the resulting system was called a “half-hearted job” by some security observers. In spite of the challenges, web security remains an important responsibility for any organization that’s online. The potential damage to a company’s reputation and profitability from a security breach, is too great a risk to leave to chance. Even if administrators decide against two-factor authentication, remember to explore other security options that may be more effective and efficient for a given organization. The greatest lock in the world is useless if people no longer want to use the door.