What can you do to properly integrate two-factor authentication (2FA) into your organization without deterring or confusing users? And how do you achieve high adoption rates among your employees and customers? We explore a possible approach with Visma.
Implementing 2FA is a standard for many companies to increase security levels. This extra layer protects against common attacks, such as password theft. When a user enters their password, the second factor, such as an SMS code or notification via an authenticator app, is required to gain access. This second factor makes it much more difficult for attackers to access sensitive systems because they often do not have the means for additional authentication. Even if they have obtained a user’s password, their chances of getting into an account or system are minimized.
According to Visma Chief Information Security Officer Cindy Wubben, as logical as the extra step of protection sounds, it is not widely applicable in practice. She sees that an attack almost always starts with breached passwords. “If a password is breached and you have two-factor authentication, at least it becomes much harder to abuse it.” Implementing 2FA has become a necessary step toward a modern cybersecurity strategy for organisations.
Phased implementation of 2FA
For a successful implementation of 2FA, what you are doing is more or less following the general security strategy principles. In other words, it is not a forced, one-size-fits-all approach overnight but a well-thought-out strategy that takes into account the different needs and levels within the organization. It is essential to integrate the plan you have devised for 2FA into the business operations. For example, you can first test this with a pilot project for a group of employees or customers. It allows you to test the processes, identify potential obstacles and make adjustments before rolling out the system throughout your organization.
At Visma, for example, they have made 2FA mandatory for all employees, strengthening internal security and setting an example to customers and partners. The experience at Visma shows that when you make 2FA mandatory for employees, acceptance goes much more smoothly than when users can choose it themselves. After all, then lurks the danger of laziness, where people avoid the tedious extra step. An approach like Visma’s creates a shared security culture throughout the organization, in which every employee is involved. If you follow that example, applying 2FA to almost every application becomes a habit. Only software that does not have interesting data behind it can be exempted from 2FA policy.
Still, rolling out a 2FA policy and technology remains a challenge. In an ideal world, you get all parties on board – that is, in addition to employees, customers. Wubben observes that increasing the 2FA adoption rate among the latter group is particularly difficult. “Making it compulsory in your organization is still doable, but making it compulsory for your customers often meets with a lot of resistance,” says Wubben. Visma is now trying to change this. They are doing this by helping existing customers technically and commercially and making 2FA mandatory for new customers.
Visma does choose to look at the company situation organization-wide. After all, there are hundreds of subsidiaries under the Visma brand. That number also continues to grow. If a new company joins, the situation does need to be assessed. “It is discussed and tuned per company, depending on their strategy and needs,” Wubben explains. Without really declaring a coercive measure as a parent company. This does have to include Visma’s responsibility to ensure product security – for customers, partners and suppliers. Manufacturers are sometimes even held liable if they do not provide adequate protection against cyber threats, such as mandating 2FA.
Tip: Cyber crisis increasingly a reality: how the great Visma is preparing
The importance of usability
When implementing 2FA, it is important to balance security and usability. If the user interface is too complex, employees and customers will struggle to embrace the new security measures. This is evidenced, for example, by the experience of Idella, a Visma subsidiary that implemented 2FA in customer portals. “We noticed that many users were not familiar with the technology behind authenticator apps, and they found it difficult to set up,” Idella informs Techzine. It initially led to negative feedback. The company then offered several options and created a clear roadmap to guide users through the process. For Idella, this had the desired effect: complaints disappeared, and acceptance increased.
Such tricks where you as an organization choose to offer multiple verification methods and provide clear, concise instructions can make the difference between a successful implementation and a frustrated user base. Companies should ensure that the steps to enable 2FA are simple and easy to follow.
Text continues after the box below
Roadmap
Wubben also shares a roadmap for companies that do not yet have 2FA in their products. It looks like this.
– Don’t implement the 2FA solution yourself. Use existing services instead.
– Introduce 2FA at least to new customers.
– Simply offering 2FA probably won’t lead to a high acceptance rate among users (new or old), but it’s the right start.
– Offer guidance on how to increase 2FA acceptance, both technical and commercial, among existing customers.
– Establish a clear timeline and target for how and when to achieve higher 2FA acceptance rates.
– Consider enforcing 2FA for certain roles (e.g., power users) or actions (e.g., changes to critical data).
On the road to awareness
Stressing communication is also helpful in increasing the adoption rate of 2FA. One of the first steps is to clearly communicate both internally and externally why 2FA is so important and the benefits it offers. This means informing your employees about the security risks that lurk without 2FA and how the new measure actually protects them from cyber attacks.
An example of this is how they communicate at Visma subsidiary Raet. They find it essential to clearly explain why 2FA enforcement is necessary and the risks of not implementing it. This message helps reassure employees and customers and ensures they understand the measures rather than seeing them as unnecessary. In addition, you need to keep communication channels open. In doing so, you can solicit user feedback, possibly adjusting the implementation as required. After all, 2FA depends not only on technology, but also on the handling of users.
As a company, you may provide additional support through training for employees and customers who will have to deal with the new measure. You can think of simple tutorials to help you set up 2FA one-on-one. The support department should be well prepared to answer questions, and there should always be a clear process for users who need help. Visma even involved the marketing department with one of its software solutions. They created awareness through LinkedIn posts, security articles and white papers there. That approach not only helped inform customers, but also encouraged them to implement 2FA as part of their own security strategy.
Key to success
Overall, a successful rollout of 2FA requires a thoughtful approach that uses clear communication, user-friendly technology and ongoing support. It is important to take the process step by step, starting with a limited implementation and then rolling it out organization-wide. By making users aware of the benefits and guiding them through each step, the adoption rate of 2FA can increase. In doing so, Wubben does recommend looking carefully at what kind of 2FA suits the customer, partner or employee. Although, purely on a technological level, enough has been gained, as most 2FA options have become much more user-friendly. With that, a more secure organization is one step closer.
Tip: Behind the scenes of cybersecurity: threat intelligence at Visma