Resources

Article

Understanding the psychological barriers to 2FA and how we can overcome them

Article

Understanding the psychological barriers to 2FA and how we can overcome them

Article

Understanding the psychological barriers to 2FA and how we can overcome them

Security

Article

Understanding the psychological barriers to 2FA and how we can overcome them

Security

Are we innately lazy? Too trusting? Oblivious to the lurking threats beneath the surface? Spoiler: the threats are certainly lurking. In this article, we’ll explore some real-life incidents and statistics that illustrate just how much of a priority activating 2FA should be.

2FA is a form of Multi-Factor Authentication (MFA), requiring exactly two verification factors to log in (such as a password and a code sent to your phone) while MFA involves two or more factors. Read more: What is 2FA (two-factor authentication)?

MFA has been shown to reduce the risk of account compromise by 99.22%. Yet, there is still a significant number of users still who choose not to activate 2FA or MFA to protect even their most important accounts.

As Joakim Tauren, our CISO of Small Business Segment, recently said on our Voice of Visma podcast:

It’s not about if something happens, it’s when.

Cyber Security Month

Every year in the month of October, we shine a spotlight on cybersecurity awareness, and this year, our focus is on Two-factor Authentication (2FA).

2024 marks Visma’s seventh consecutive year participating in Cyber Security Month, with our security team advocating tirelessly for best practices like creating strong passwords, securing networks, and embracing two-factor (or multi-factor) authentication.

But, despite extensive education efforts across industries, organisations and communities, there is still considerable hesitation in adopting 2FA. How can we, as security ambassadors, protect our digital community against cyber threats when the resistance to 2FA is such a major challenge? Let’s take a step back and investigate some of the root causes of this widespread hesitation.

Why are people still hesitant to adopt 2FA?

Our cyber security team has explored the most common psychological reasons preventing people from adopting 2FA:

Convenience vs security:

The added step of having a device nearby for verification may be considered an inconvenience, especially for frequently accessed accounts. The irony, however, lies in the fact that 2FA doesn’t necessarily have to complicate the login flow – in fact, it often allows users to stay logged in for longer, meaning it’s actually more convenient (disregarding the fact that most people have their mobile phone within reach almost always, anyway).

This perception of inconvenience is more about discomfort with change than any substantive barrier. It reflects a psychological resistance to altering established habits (logging in with username/email and password only), despite the fact that many people are already accustomed to using 2FA through BankID, online payments and shopping.

Perceived complexity:

Misconceptions about the complexity of setting up 2FA may deter users from activating it. Misunderstandings create unnecessary fear around new processes, even though 2FA setups are usually straightforward with available guidance.

Naive trust in passwords:

Despite known risks, some users remain overly reliant on the security of their passwords, which often comes from a mindset of “it could never happen to me,” leading to complacency.

However, for sensitive services involving money or personal information, such as banking or several Visma solutions, many users actually expect to see stronger authentication methods like 2FA. The key is finding a way to extend this attitude and level of caution across all types of accounts.

Incidents can happen anywhere, to anyone.

Lack of awareness:

Inadequate understanding of cyber risks and the benefits of 2FA can fuel scepticism and hesitancy in activating it. Knowledge is power, and this scenario is no exception, which is why we aim to educate our community on both the risks and benefits of adopting precautionary cyber security measures.

Resistance to change:

Change is often met with resistance. The disruption of routine, despite any known benefits to said disruption, can feel daunting.

Nevertheless, with increasing legislative mandates for 2FA within government agency services in the US and EU, this resistance is being addressed head on. Mandates for online payments (PSD2) and upcoming regulations like NIS2 and DORA are pushing organisations and users to adapt, meaning user acceptance will only grow as people become more accustomed to using 2FA.

Fear of being locked out:

Concerns about being locked out in case of forgotten verification methods or a lost device can deter users from adopting 2FA. This fear stems from perceived personal risk rather than actual difficulty with the technology, emphasising the need for clear communication and backup options, such as storing one-time emergency codes and access to support.

There are, of course, countless reasons for why activating 2FA is absolutely essential for both businesses and individuals, including protecting personal data, safeguarding business assets and increasing customer trust, all of which outweigh any psychological deterrents. Read more here: What is 2FA (two-factor authentication)?

How can we tackle these psychological barriers and encourage 2FA adoption?

We believe the solution lies in empowering people to make good security decisions themselves. This is why Visma places such emphasis on initiatives like Cyber Security Month, where we aim to spread awareness about potential threats and equip our community with the knowledge and tools they need to protect themselves.

One of the most effective ways to change people’s security behaviours is through storytelling. Rather than listing all of the reasons why people should use 2FA, we think telling a story about when 2FA either prevented or could have prevented a cyber attack is more effective. It’s a proven technique that translates the message from “something that could potentially happen” to “something that has happened and likely will again”. It makes the threat real in people’s minds and, in turn, makes them more likely to change their behaviour.

Incidents happen far more often than people think and affect many of us on a daily basis. Here’s a recent example of the impact that 2FA (or lack thereof) can have on businesses, which demonstrates the consequences of overlooking this vital security layer all too well.

Orange España breach (2024)

Earlier this year, Orange España, one of Spain’s top mobile carriers, experienced a three-hour internet outage because a hacker managed to tamper with essential parts of its internet infrastructure. You guessed it – this could have been prevented if 2FA had been implemented.

The hacker got in through Orange’s RIPE account, where the password was simply “ripeadmin” – definitely not the strongest choice. With that access, they could disrupt how Orange’s internet traffic was routed, resulting in a substantial disruption to Orange’s internet access and a 50% decrease in traffic.

While, fortunately, no customer data was compromised, the chaos could have been prevented with stronger security measures in place. When asked at the time why two-factor authentication was not already mandated, the organisation explained it was “expediting the 2FA implementation to make it mandatory for all RIPE NCC Access accounts ASAP.”

This case is a clear example of how a lack of strong authentication can have serious consequences for businesses and their customers. 2FA (or MFA) is vital in protecting all kinds of accounts, keeping disruptions at bay, and securing what matters most.

Social media and the case for 2FA

While we’ve all heard about major cyberattacks on organisations, let’s not forget this can happen to any of us at any time on any of our accounts. This isn’t just a work issue; it’s a personal issue too, and even if it hasn’t affected you directly, it’s likely touched someone you know.

Recent statistics show us how critical 2FA is for our personal social media accounts:

  • In 2023 alone, an alarming 25% of Facebook accounts were hijacked. Facebook accounts are the most compromised account types, with around 67,941 Facebook accounts being compromised each month in the US.
  • Instagram also ranks high in hacking incidents, reaching an average of 36,222 accounts affected each month.
  • 71% of users who were locked out of their Instagram and Facebook accounts experienced hackers impersonating them to contact their friends.

The numbers make it clear – social media platforms are magnets for cybercriminals. But there’s good news: adding an extra layer of security, like 2FA, can really cut down on the risk. Think of adopting 2FA not just as an option but as a must-do. By setting up 2FA, you’re doing something really important to protect your digital life, just like you’d lock up your valuables in the real world.

Access step-by-step guides on how to activate 2FA on your social media accounts.

Activate 2FA today

The role of 2FA in strengthening cybersecurity defences, mitigating risks, and enhancing data protection is critical. These incidents serve as an alarming reminder of what can happen if we make the mistake of overlooking its importance. Just like we instinctively lock our front doors at night to protect our homes or wear seat belts in cars for safety, we should be incorporating 2FA into our digital lives as much as possible.

Whether you’re an individual or a business, think of adopting 2FA as adding an extra lock on the door of your online accounts. It’s about extending the same mindset of precaution and security we apply in the physical world to the digital world, ensuring we remain safe and protected from potential threats.

We are proud to have implemented 2FA across Visma, ensuring that we uphold the highest standards of security for our community. We strongly advocate for the adoption of 2FA and we encourage everyone to prioritise their online security by enabling it on all their accounts.

Related content