You may be familiar with seeing Two-factor authentication (2FA) as one of the first measures recommend when figuring out how bolster security. Despite its proliferation, often default requirement and ease of implementation many organizations still struggle to implement it effectively. If this sounds like your business, we urge you to read this article to better understand 2FA’s benefits, and how you can improve your adoption rate to ensure your business is safer in the digital age.

The Value of 2FA

At the core, 2FA adds another layer of defense to the login process. Instead of only requiring something you know (your password), it also requires something you have (a rotating code token, authentication app, smart card, or FiDO Key). This dramatically reduces the risk of compromise from phishing, credential stuffing, and brute-force attacks.

Here’s some quick stats for you to check out:

• Over 80% of breaches stem from weak or stolen credentials ¹.
• 100% of automated bots, 99% of bulk phishing attacks, and 90% of targeted attacks are mitigated by simply leveraging 2FA properly ².

Weak credentials and their lack of protection is the leading cause of compromise. Your business is actively at risk when you leave this valuable option out of the decision making process.

A Quick Example

Your business is growing, congratulations! You now have a few team members working out of your new Customer Relationship Management system (CRM). While account set up is easy, there’s that one option you might see in the account management page, or maybe it’s in a settings page, “Require 2FA”. Maybe you enabled it on your account, maybe you didn’t. You have a secure, non-shared password anyways, so you don’t need to worry about it, right? In comes Bob. You hired him because he’s a marketing pro, you gave him access to your web development portion of your CRM, and even your marketing emails. Great! Except 1 thing, Bob, as smart as he is with marketing, has an awful secret: He’s just been adding “!”’s to his passwords to “change” them.

No worries you think, Bob doesn’t use his work apps on his personal computer!

Except one day Bob unknowingly installs a stealer malware on his computer, a type of code that quietly steals logins and passwords and sends them to a bad guy. These bad guys don’t try passwords one by one though. They have a system with thousands of websites already loaded up and they’re going to try Bob’s password, and any variations they can think of, on every. Single. One of them. And your CRM? It’s probably one of them.

So now, the only thing standing between your prospective and current clients and a nasty phishing email with your name on it is Bob’s password and the bad guys finding your CRM. And if you were lucky enough that Bob enabled 2FA, they might get stopped. So if you had checked that “Enforce 2FA” box ahead of time? Yeah, Bob needs to pull his phone out every so often to log in, but now you don’t have to rely on Bob to take the initiative to protect your business. And Bob already had some bad security habits to begin with… so we’re not going to leave being safe solely in his hands right?

Making 2FA Work for You

Okay, yeah you think it’s worth it now. And you should! So how do you implement 2FA effectively? Check it out:

1. Start with Critical Accounts

Begin with administrative accounts, email platforms, financial systems, and any services exposed to the internet. These should take priority, why? Because they’re the “Crown Jewels” so to speak. If you have to prioritize anything, start with these.

2. Use App-Based or Hardware Keys

Avoid SMS-based 2FA when possible. Authenticator apps (like Duo, Authy, or Microsoft Authenticator) or FIDO2 hardware keys offer stronger protection against phishing. SMS-based has been proven to be weak time and time again, prone to compromises like SIM Swapping, and impersonation. Bob might be forced to use 2FA now, but if he’s prone to phishing, or his carrier isn’t the best at preventing theft of a phone number, his SMS based 2FA is a weak target.

3. Enforce It Consistently

Make 2FA mandatory for all users, not elective. Security gaps are often found in less-privileged accounts, and enforcing security on these accounts lets you focus on other priorities. Ensure applications that can enforce 2FA for new members are doing so. For applications that either don’t offer organizational settings, or don’t have the option, create a policy that is communicated to all employees. Something short and sweet: “All accounts must require Non-SMS Based 2 Factor Authentication wherever possible.”

Review applications as they’re onboarded to your organization to ensure they support your security needs.

4. Educate Your Users

Providing security awareness training to your users is paramount, and something Vitrasec provides! Regular awareness training regarding policies, their importance and why they help keep the organization safe helps keep security at the forefront of your employee’s minds.

5. Integrate with SSO

Not all business have a Single Sign On (SSO) provider, but when you’re ready for one, they become a great way to manage users and enforce secure credentials. Later articles in our blog will cover this so be on the look out!

6. ** Standardize**

Barring SSO, the best way to standardize secure authentication is to select a default authenticator app. Solutions like Authy, Google Authenticator, Microsoft Authenticator and others exist. Pick one, and as part of your onboarding plan, ensure users have support to install the app and know how to use it.

If this is so easy, why aren’t more people doing it?

Despite its benefits, adoption of 2FA lags due to these common issues:

• User resistance: Some users find 2FA inconvenient or confusing. The best way to resolve this is to make it easy, and part of your innate culture. Security shouldn’t be an obstacle, it should be an expectation. If your applications prompt 2FA set up and you have a standard procedure, it will become second nature!
• Poor Enforcement: Organizations often roll it out inconsistently or only for privileged users. For that reason, when onboarding new applications and platforms, ensure you are enforcing 2FA . When adding users on apps that don’t enforce it use a guided approach and walk them through enabling the feature.
• Legacy systems: Older infrastructure may not support modern authentication methods. In these scenarios, Vitrasec offers consultation services to help assess the risk these systems present and options to mitigate the risk they provide by not offering this essential service. It is generally Vitrasec’s stance that Software as a Service platforms (things you pay a fee to access the platform for like Quickbooks Online or Hubspot which do offer 2FA!) that do not offer 2FA should be avoided.
• False confidence in passwords: Some businesses still believe strong passwords are “good enough.” It’s not though. These measures are only as good as your supporting policies. In fact, we are seeing the advent of passkey authentication phasing out passwords. Look for a Vitrasec blog article on this emergent technology coming soon!

The Bottom Line

2FA offers one of the highest returns on investment in cybersecurity. It’s low-cost, widely supported, and blocks the most common attack vectors. If you haven’t made it standard, you’re not just behind: you’re at risk. If you got this far, we hope you see the benefits and are looking to push this technology wide spread. Not sure where to start with implementing stronger authentication across your environment? Vitrasec offers consultation services to help you assess your current state and how to best improve your security posture. Contact us today!