Security

How to get users on board with two-factor authentication

Having trouble convincing employees in your organization to use two-factor authentication? Here's a guide on how to break it down in a way that makes sense to the average user.

From the office of "I really shouldn't have to convince you of this...":

Over in the realm of Facebook, I warn people all the time that they should set up two-factor authentication, so they can avoid account compromise. The reaction I get from an overwhelming majority of people: "What is that?"

Before you react, remember that most of the people on the ol' book of face aren't in IT, so they wouldn't really have much of a reason to know what two-factor authentication is. Thing is, you have staff (some of which bring their own devices for work) that must understand what two-factor authentication is. If you've yet to thoroughly convince them why this measure is important, I want to offer up some possible points for you to share with those staff members. Hopefully, in the end, you can finally help those users understand (which will go a long way to keep both personal and company data safer).

What is two-factor authentication?

There's really no reason for you to get into a deep dive, nuts and bolts explanation with your end users. Why? First off, it's not the language they speak. Second, getting into the nuts and bolts of how two-factor works will turn them off and tune them out. Instead, you need to focus on the non-IT people who don't really care to understand the technology involved with two-factor authentication. With that in mind, I want everyone reading this to imagine they know nothing about IT. With that mindset, you can better help your end users and staff.

Remember, you know nothing about IT.

Now, let's say you want to log into Facebook. To do so, you head over to the Facebook page and enter your email address and the password associated with your account. If you get both of those things right, you are logged into Facebook. All is good.

However, what is to stop someone else from logging into that account? A password—that's all. Even if you've created a complicated password, there are ways around this. Say, for example, someone has access to your email; with that they could request a new password and then log on to your account. If they don't have access to your email, they could attempt to brute force their way in or trick you with a well-crafted email (one that includes a link to a malformed URL that will enable them to gain access to your login information).

That's where two-factor authentication comes into play. The best way to explain how two factor authentication works to your end users looks something like this:

  1. You go to log into your account
  2. You type your username and password
  3. You are then sent a passcode to your mobile phone
  4. You enter that passcode into the login screen
  5. You're allowed access

Without that passcode, you cannot gain access to your account. Without your mobile phone, you cannot get access to the passcode. See how that works? No passcode, no access. No mobile phone, no passcode.

It's also very important to remind your users if they're thinking they will always have to go through those steps to gain access to their accounts, they can always enable any given machine to be trusted such that they won't have to use the two-factor authentication passcode to gain access. All other machines will still have to enter the passcode to gain entry.

It will also be necessary to remind users that passcodes can be sent to them via text, through an app like Authy or the Google Authenticator, or (in the case of Facebook) on the Facebook app on their phone. Once a passcode has been used, it expires; so to log in again, the user will have to get another passcode.

That's the gist of what two-factor authentication is. To make it even more simple—it's a secondary, temporary password required to log into your account.

SEE: Security awareness and training policy (Tech Pro Research)

Why is this important?

This is where it get a bit more tricky to gain the understanding of your staff and end users. In order to help those you must educate and train, it is important to not pull punches. It all boils down to convincing those users the extra effort will pay off.

Something like this is usually very effective:

Every single day I see someone on Facebook posting that their account has been hacked. Had they employed two-factor authentication, the chances of this happening would have been exponentially smaller. But this goes well beyond Facebook. Accounts with critical data—such as bank account numbers—can be cracked. Your Amazon account, your online bank account, your Google account, these are examples of accounts that, if compromised, could cause serious personal and/or financial issues—all of which could be avoided by making use of two-factor authentication.

Yes, it's an extra step for logging in, but it's a step that is well worth the effort. Considering you can go a long way to avoid having your account(s) hacked, with just the slightest bit of extra effort, should make adding two-factor authentication a no-brainer. Gaining an added layer of protection for your important accounts—and getting it for free—makes absolute sense on a level that offers no excuse for those still denying the need for such protection.

We now live in a time where people make actual careers out of hacking into accounts; so why would you make it easy on them?

Laziness is no longer an option

The punches continue to not be pulled. This time around, we must point out a bit of painful obviousness with something like this...

On a daily basis, accounts are being hacked. When I ask my fellow humans why they haven't bothered to set up two-factor authentication, the responses range from "It's too hard," to "I don't have time," to "I'm safe." My responses to those statements:

  • It's not.
  • Yes you do.
  • No you're not.

There is simply no viable excuse to not set up two-factor authentication. Okay, maybe there is one; if you don't own a smartphone, I can understand why you haven't set up two-factor authentication. Beyond that, there is no excuse. If you opt to continue avoiding two-factor authentication, know that it is no longer about if your account(s) will be hacked, but when.

The list of how-tos

To make this easier for you to help your end users and staff, I will link to every TechRepublic how-to and article on the topic, so you can enable two-factor authentication with ease. Many of these are also available in this PDF: How to set up two-factor authentication for your favorite platforms and services.

So...what are you waiting for? Protect your accounts.

Also see

Padlock as a symbol of information safety

Image: Jack Wallen

About Jack Wallen

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website jackwallen.com.

Editor's Picks

Free Newsletters, In your Inbox