Almost seven years ago, Google began introducing physical security keys and Universal Second Factor (U2F) to its 85,000 employees, offering the latest 2FA solutions across one of the largest technology companies in the world.
The results were exactly what Google executives hoped for. The new 2FA efforts eliminated successful phishing attacks against employees entirely over the next several years.
Google’s story demonstrates that 2FA is no longer a nice to have security feature, but also an accessible one. What was once a privilege for organizations with advanced security teams is now simple to adopt. It comes at a perfect time when the value of 2FA is multiplied as companies continue to work remotely.
While we are seeing more organizations adopt 2FA to secure their workforce, there is a clear disconnect between companies of different sizes and across various industries. Among Perimeter 81 clients, less than 20% of enterprises are using 2FA. In contrast, small and medium-sized businesses are adopting 2FA at 2.5 times the rate of large companies.
Considering how large enterprises are increasingly being targeted by cybercriminals, 2FA should be the baseline, a minimum requirement for security during an era that demands additional protection for remote workers and increasingly damaging data breaches.
Prior to COVID, personal knowledge and use of 2FA was surging. Nowadays, 2FA can be user-friendly, aesthetically pleasing, and mobile-friendly. Even with just a text authentication sent to your cell phone, you are vastly improving security. If your second form of authentication is a physical security key, you are even safer.
Our analysis of more than 80 companies and their use of 2FA revealed adoption is prevalent, but not across the board:
Smaller companies, including startups, and technology companies were among those with the highest 2FA adoption rates. This all makes sense since startups and the tech sector at large both skew younger, and we know that personal 2FA use is increasing most rapidly among the 18-34 age range. What’s more, smaller firms and leaner startups have significantly fewer users and uses to protect, making it easier to adopt and implement 2FA successfully.
Similarly, enterprises are more likely guided by more veteran executives with some generational gaps in personal security habits. Anything that requires the buy-in of hundreds or thousands of users can be a daunting task, so usability concerns are amplified for the largest enterprises.
Their hesitation might also arise from the perceived small risks associated with some 2FA methods, like well-known vulnerabilities of SMS.
While 2FA is fundamentally an easy way for large organizations to enforce secure access, 2FA on a more practical level requires visibility to provide security. To go down this road could mean several new security tools, legacy hardware fixes, or infrastructure tweaks, driving up costs and lengthening the transition.
That surely feels like a heavy lift, especially for companies caught in survival mode during the pandemic.
The past year brought an unprecedented torrent of data breaches among some of the largest brands and organizations in the world — like Facebook, Nintendo, Walgreens, and more. At the same time, more organizations shifted to 2FA to combat these threats. From companies like Zoom, adopting 2FA last September, to Epic Games requiring 2FA for gamers, we are seeing a clear shift in how companies are ramping up their security.
While the introduction of tools like 2FA is ultimately the responsibility of IT and security professionals, its adoption is reliant upon each and every employee. You don’t have to be an IT pro to play a role in proper security hygiene.
Enterprises can heighten security for their employees and customers by requiring 2FA or even more stringent forms of security. As 2FA becomes more ubiquitous, companies that want to stay competitive will have no choice but to give their customers (and employees) the security and peace of mind they’ve come to expect.
Our analysis tells us that companies are moving in the right direction when it comes to the adoption of strong security practices like 2FA. That will open the door for more organizations to move toward more sophisticated security processes, like Zero Trust, in the next year and beyond. Zero Trust builds on some of the key tenets of 2FA and handles encryption, access policy enforcement, device identification and verification, and security threat intelligence, to give companies the kind of coverage required to stay safe from data breaches. It’s easy to see this as the next step as businesses, no matter their size, continue to work toward better security for their changing workforce.