Why would you not use a 2-factor authentication?
While it isn't a reason for not doing it. Even two factor can be circumvented using behavioral engineering. I think the common answer would be cost. IT departments put in layer after layer of security with increasing cost. Many administrators will agree users have a tendency to get less security conscious the more security layers we apply. Make passwords overly complex, and constantly changing and they write them down. Personally, we run into issues with locations with bad cell service. Where you don't get the text. Causing user frustration.
We've acquired several smaller companies and forced them into multifactor policy. In most cases it was a "cost / management" discussion and there isn't a lot of resistance to change. There is griping for a short time but it's a steadfast rule / best practice. Explain the risk to the senior leadership and it's not a big deal.
Good question! I think the main reason it has not been more widely implemented is convenience for end users as well as education of the general public about how to use advanced security. Multi-factor can be overly complicated for the end user, most people eyes glaze over when you recommend implementation of MFA on common social platforms. I relate this back to credit cards. We could have implemented chip and pin a long time ago to reduce fraud (like European countries) but we have not because of consumer behavior/education. Companies are willing to take the hit on fraud for a more streamlined experience.
The good news is that solutions are being simplified and end users are become more sensitive to using high levels of security.
When we implemented there were two major factors to consider; user adoption and fool proof secondary authentication. For the first, it took complete alignment at the executive level that it was important enough to implement and socialized the change throughout the organization well ahead of implementation so all questions could be answered. For the second, we went with a FOB that was issued to everyone with a lanyard or clip. This avoided requiring everyone to have a cell phone and the inherent risk with that method, and gave us the ability to control issuance and replacement of the FOB with little interruption.
Not having the ability to control both of these items would be an excuse not to implement.
Each time I do a presentation and in the past five years I’ve done close to 1000, I always ask the audience how many people are using 2FA on their home stuff and maybe ten percent raise their hand. If we can’t train our end users to be safe at home, how can we expect them to embrace it at work.
Go to www.twofactorauth.org and try to implement as much as possible at home.
Great question. And if your organization is not keeping up with security such as 2FA, shame on you! Our job is to help grow and protect the organization. And while secuirty if often challenged as unnessary, we know better. And many of the nay-syaer know better as well. Your responsibiity includes bringing these tougher issues forward even when they are painful.