Should You Require Your Users to Turn on Multi Factor Authentication?

Should You Require Your Users To Turn On Multi Factor Authentication
Post Menu and Details.

Words: 782

Reading time: ~3 minutes

By now, most businesses offer multi factor authentication as an optional security feature for their users. If users elect to use your multi factor authentication solution, their account will be protected by an additional layer of security; instead of only providing a password, users will be prompted to verify their identity through secondary means, such as providing an answer to a security question, a PIN from a registered device, or biometrics.

But should businesses make this a requirement for all users, increasing individual-level security in the process? Or should this remain an optional feature for users?

The Pros and Cons of Required Multi Factor Authentication

Let’s start by looking at the pros and cons of requiring multi factor authentication (MFA) for your users:

  • Guaranteed protection. Multi factor authentication provides robust security protection for individuals, making it virtually impossible to gain access to a user account even if you know that user’s password. If one of your users loses a password, or if they choose one that’s easy to guess, it’s no big deal; the criminal who guesses or steals this person’s password probably won’t be able to provide a secondary form of authentication, meaning they won’t be able to get access to the account. Because this feature is required, you can rest assured that all your users enjoy this level of protection.
  • Fewer breaches and compromised accounts. When all of your users are protected by MFA, you’ll deal with fewer breaches and fewer compromised accounts. This is beneficial for your business in several ways, making users feel more confident when using your system, reducing operating costs, and even protecting the reputation of your brand.
  • Fewer decisions for customers. If you make MFA an optional feature, some customers are going to be confused or indecisive. For the most part, it’s best to keep your user experience as simple as possible; don’t force your users to make security decisions for themselves.
  • Easier account recovery processes for customers. When MFA is enabled, password and account recovery options are much smoother for users who need them. Your users may not be able to remember their account names or passwords, but they’ll probably remember their mother’s maiden name, and they’ll certainly be able to provide a fingerprint if prompted. Because these alternative account recovery options are available, account recovery is typically more straightforward.
  • Reputation and image. Requiring your users to enable MFA is a demonstration that you take user security and privacy seriously. This can further improve the reputation and image of your brand among people in the general public.

There are some downsides to requiring MFA for your users as well:

There Are Some Downsides To Requiring Mfa For Your Users As Well

  • Inconvenience and time spent. Some users are less concerned with security and more concerned with convenience. Being forced to enter a PIN or provide repetitive answers to security questions every time they log in can be draining, ultimately compromising your user experience.
  • Potential authentication problems. Biometrics are easy to provide, but people sometimes have a difficult time remembering the answers they gave to pass security questions. If there are authentication problems, users may become frustrated.
  • Lax security habits. People tend to be lazy with their passwords and cybersecurity habits, especially if they’re already facing other inconveniences. If you enable MFA, users may try to expedite the process by choosing weak or easy-to-guess passwords that also happen to be easy to remember. They may also feel a heightened sense of security with MFA enabled, causing them to practice other lax security habits.

Factors to Consider

As you’re making your decision on whether to require MFA for your users, keep the following factors in mind:

  • Risk. Are your users likely to be targeted by cybercriminals? How much risk does your organization face? How big of a priority is security for your company? What are the consequences of potential account loss or a data breach?
  • Convenience. How important is a convenience for your brand? Did you build this app to be as quickly and readily accessible as possible? Or are your users ambivalent to the prospect of spending a few extra seconds logging in each time they need to access the app?
  • Brand and competition. What are the characteristics that define your brand, and how is your brand different from those of your competitors? Are you trying to competitively differentiate your brand by making it more secure and more focused on using your privacy? If so, MFA may benefit you further.
  • Usability. How quickly and easily can the average user navigate your MFA solution?

Required MFA isn’t the right move for every organization, but most brands and users benefit from this security feature being enabled. Think critically about your business’s unique position – and decide whether this is truly the best move for your users.

Thank you for reading!