17
Is requiring 2FA for everyone really the answer or does it cause more problems?
I was reading an article from a security firm last week that said every company should force multifactor authentication on all employees. But then I talked to my buddy who works IT at a school district in Topeka and he said they got so many complaints from teachers who kept losing their phones or couldn't figure out the authenticator app that they had to switch back to just passwords for half the staff. On one hand, I get that 2FA stops a ton of automated attacks and credential stuffing. But on the other hand, if people get frustrated and start writing down their backup codes on sticky notes or using SMS which has its own security problems, are we really making things better? I'm starting to think it depends on the user base and the threat model. What do you all think about where the line should be between security and usability?
2 comments
Log in to join the discussion
Log In2 Comments
lisaf3816d ago
That whole "just switch to 2FA" thing sounds great in a boardroom but falls apart once you hit real people. The school district case is a classic example of security theater where the solution creates new problems. Honestly the real issue is companies picking the wrong kind of 2FA for their users. Hardware tokens like Yubikeys are way less annoying than app codes and teachers can't lose them as easy. But those cost money and IT departments usually take the cheap route with SMS or authenticator apps that people hate. Maybe the answer isn't forcing one type on everyone but letting users pick between a few options that actually match their tech comfort level.
4
finleyh8916d ago
Bet on hardware tokens and let people pick their own flavor.
-1