Last week in our Behave Series blog we looked at passwords.
This week we’re turning it up to 11. This week, we’re talking about multi-factor authentication (MFA).
Multi-factor authentication. It’s the unsung hero of cybersecurity. It’s thwarted many a cybercriminal. And it’s simple enough to use!
But what does it take to convince your workforce to use it?
In an ideal world, we’d all have passwords as strong and unique as a Marvel superhero. In the real world, people are still using weak, predictable passwords, and it’s a cyber criminals’ favorite thing about us. Well, probably. We haven’t surveyed them or anything.
In other words, protecting your company from cyber threats by nudging people toward using MFA is a good use of time.
Encouraging MFA adoption
If you take one thing from the behave series, make it this: traditional security training, with its narrow focus on “awareness”, doesn’t work.
People don’t change their behavior because they’re “aware” of something. Think smoking, drinking, and exercise. No, we’re more complicated than that.
People hate to be inconvenienced, so minimizing hassle is key to making MFA adoption stick. For example, authentication via a text message is less inconvenient than opening an app. (Purists, pipe down! We know apps are more secure than text messages. If 70% of a workforce adopts text-based MFA, vs 40% of another workforce adopting app-based MFA, which workforce is more secure overall…?)
Even with a simple task, people need to understand the point of it. You still need to sell the idea. Sell the benefits, sell the “why” (how does it help me), and sell what might happen if they don’t engage.
We hope you’re sitting down for this next point because it’s a real shocker: people like getting given things, especially rewards, so there is mileage considering incentives for adopting MFA – more on that below.
But there are multi-factor authentication challenges…
Gaining people’s trust is crucial, MFA often requires a phone number to authenticate. The concept of “give us more personal data so we can protect your personal data” can, rightly, come across a little contradictory. That’s why creating a culture of trust and support is game-changing for organizations.
IBusse and colleagues (2019) investigated the usefulness of various rewards for the adoption of MFA.
Taking inspiration from the gaming world, they offered participants gaming-related content (e.g. stickers), discounts, and other monetary rewards for adopting MFA.
Unsurprisingly, the stickers bombed – presumably because none of the participants were seven years old. And – surprise, surprise – monetary rewards had the strongest influence on behavior.
The study also revealed people will adopt MFA in places where they think there is most risk, such as a main email account or banking login.
Most participants said they would activate MFA if they were offered an online store discount.
However, technologically-savvy people reported they activated MFA for security reasons alone.
This tells us there is work to do on building trust and understanding around MFA. And not to waste budget on stickers.
To take a closer look at how incentives affect MFA adoption might work for your workforce, read the full study here.
Make it work for your organization
The great news is it’s pretty straightforward to push people toward MFA. There’s no one-size-fits-all solution, but here’s a recap of how to give your workforce the best chance:
A simple prompt to set up MFA will sometimes be enough, so don’t overlook that as a first step
Build trust and understanding around data sharing and data security as it relates MFA
Motivate by explaining the benefits of MFA, and offering well-chosen incentives
Build a wider culture of support and trust, and encourage dialogue about cyber security
To learn more about changing and improving security behaviors, check out this whitepaper on behavior change.