Why More Companies are Enforcing Mandatory 2FA

Although the option to better protect accounts with Two-Factor Authentication (2FA) has been widely available for more than a decade, the low uptake on this security measure has prompted a growing number of companies to enforce mandatory 2FA.

Two-Factor Authentication (also known as Two-Step Login and Two-Step Verification) is a method used by online services to verify a user´s identity. In most circumstances, the first authentication factor is something a user knows (most often a username and password combination), and the second factor is something a user has or receives.

The most common second factor authenticator is a Time-Based One-Time Passcode (TOTP) sent to a user by SMS text, email, or push notification – but many other types of second factor authenticator exist, including:

  • Authenticator apps
  • Software tokens
  • Hardware keys
  • Fingerprint readers
  • Facial recognition software
  • Voice recognition software
  • Near field communicators (NFCs)

The Background to 2FA

Versions of 2FA have existed since the 1960s, when the first Automated Teller Machines (ATMs) allowed customers to withdraw cash by entering a bank card and a Personal Identification Number (PIN). From the mid-1980s, hardware keys were developed that generated passcodes every 60 seconds, and they were often used to protect sensitive systems and the data stored on them.

When smartphone adoption took off during the 2000s, several organizations developed second factor authenticators that would work with certain types of smartphones; but It was not until 2011 that the process for generating and transmitting TOTPs was standardized and 2FA became more widely available to the general public – including those who still had cellphones.

In 2014, the Universal Second Factor (U2F) standard was released which authenticates online services as well as users. This standard was intended to help prevent phishing attacks by confirming that a user is communicating with a genuine site. Over time, further standards have been released to make 2FA more convenient for users – yet adoption of optional 2FA has been mixed.

Optional 2FA Adoption

According to a 2021 survey, 32.4% of respondents now use 2FA whenever it is an option, 29.6% of respondents never use 2FA, and the remainder use 2FA to protect some accounts, but not others – typically finance accounts, email accounts, and accounts containing sensitive information. However, according to Twitter, only 2.6% of account holders use 2FA to keep accounts secure.

The low rate of 2FA adoption is a concern because so many people use the same username and password combination for multiple online accounts (around 65% according to this survey). This means that, if one set of credentials is exposed in a data breach, it can be used to access other accounts belonging to the same person. Possibly all the accounts belonging to the same person.

However, if accounts are being protected by 2FA, a third party in possession of a user´s login credentials will be unable to access any of the accounts without the device being used for the second authentication factor. According to Google, there has been a 50% decrease in compromised accounts since the tech giant “auto-enrolled” 150 million accounts in its 2FA program.

Why are Companies Enforcing 2FA?

When a third party is in possession of a user´s login credentials, they can use the credentials to stage an account takeover attack. This may result in the third party getting access to the user´s funds in their bank account, gathering personally identifiable information that allows them to commit identity fraud, or misrepresenting the user in emails or social media posts.

From a corporate perspective, account takeover attacks are estimated to cost U.S. businesses more than $25 billion per year. Further costs are incurred implementing measures to stop the attack, closing gaps in online security, and adding extra layers of security to defend against further attacks. Businesses in regulated industries may also be subject to fines if attacks result in data breaches.

Consequently, it makes financial sense to enforce 2FA as widely as possible, and every business should mandate that employees use 2FA whenever it is an option whether it is mandated or not. This will significantly reduce the number of data breaches attributable to weak, re-used, or stolen login credentials and raise security awareness through the workforce.

Who is Enforcing Mandatory 2FA?

Although it has been widely reported that Google is enforcing mandatory 2FA, that´s not strictly true. Google has turned on automatic 2-step verification for signing into Google accounts from a new device or IP address. Account holders can simply turn the security feature off in their settings if they do not want to protect their accounts with 2FA. Therefore, it´s not mandatory enforcement.

However, Facebook recently enforced mandatory 2FA on accounts that are at a high risk of hacking (journalists, government officials, and human rights defenders), Apple requires developers to use 2FA during the login process for developer accounts, and GitHub is increasing the security of its code repositories by requiring all developers to enable 2FA by the end of 2023.

2FA is mandated for companies subject to PCI-DSS regulations, and many banks, foreign exchange companies, and cryptocurrency websites are increasingly enforcing mandatory 2FA on end users. Mandatory 2FA is also enforced on Oracle NetSuite users with privileged access, and it is likely that Microsoft will implement something similar following the revelation that 2FA is used by only 22% of all Azure Active Directory customers.

How to Manage Mandatory 2FA Requirements

Not all online services support all types of second factor authenticators. Some many only support SMS 2FA, while others may support one type of Authenticator app, but not another; or hardware keys, but not software tokens. Keeping on top of different 2FA requirements can add an extra level of complexity to managing login credentials, but there is a simple solution.

Password managers support multiple 2FA types, and users can save the second factor authenticator used on each account in the same area as where the username and password are saved. The Bitwarden password manager is a particularly convenient option, as it will collect the code generated by the second factor authenticator for pasting into the online service login window.

Bitwarden also provides its own authenticator app with customizable parameters to account for different code lengths, different algorithms (used to generate TOTPs), and different times between TOTP rotations. Not all password managers or authentication apps have this capability. To find out more, visit Bitwarden today and request a free trial of the password manager in action

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news