Still, concerns about the convenience and cost of this protection seem to stubbornly cloud most discussions of 2FA. It doesn’t take long, however, before a little research reveals that these perceived shortcomings amount to little more than a fragile set of five myths.

Let’s visit each, and discuss where the myth ends and reality begins.

Myth No. 1: Consumers need to carry dozens of credentials with them to log in to all their online accounts, and this will make 2FA a burden for users and impractical for site operators.
This is the so-called “token necklace effect” that critics claim has haunted 2FA, but the specter of a single consumer laden with multiple credentials isn’t inevitable. A shared network of member organizations could make 2FA easier and more convenient than ever by allowing users to carry a single, portable credential that is recognized on all member sites.

(Credentials today are available as a key fob token, credit card sized credential, or even software that’s downloaded to a user’s cell phone – all of which generate an OTP.) When companies join a 2FA network, much like an ATM network, the dreaded necklace of tokens is unnecessary.

Myth No. 2: Judging from what enterprises have spent on their implementations, 2FA is just too expensive for the consumer market.
2FA is now available through managed services and shared network models, which have allowed strong authentication to break out of the premise-based enterprise model and cost-effectively scale 2FA protection to a consumer audience. Online businesses now can take advantage of third-party hosting of the infrastructure needed for 2FA, along with easy integration of Web services, to reduce deployment expenses and share maintenance costs with other network members. This reduces both short and long-term investment requirements.

Myth No. 3: It’s risky to invest in a 2FA platform based on today's consumer preferences, when tomorrow's consumer preferences could be totally different.
Organizations can “future-proof” their 2FA offering by choosing solutions that comply with the open standards of the Open AuTHentication (OATH) reference architecture. With an OATH-compliant 2FA solution, companies can avoid becoming locked into one vendor’s authentication credentials. OATH-compliant systems can support any similarly compliant form factor, including tokens, cell phones and PDAs. More than 70 manufacturers produce OATH-compliant solutions today, providing organizations an enormous variety of options for the consumers they serve.

Myth No. 4: Whatever advantage the 2FA network model may offer, it’s not enough to draw new members into these alliances.
Aside from the obvious benefits to consumers – using a single credential across thousands of sites – and the cost advantages that come with sharing network expenses with other members, signing on to a 2FA member pays other business dividends. For instance, the ability to transfer the trusted relationship across all network members can be leveraged to strengthen online affiliation and build sales channels.

For example, eBay and PayPal both belong to the same 2FA network, an online retailer can notify those companies’ communities that the same tokens that consumers use for eBay and PayPal can also be used at the retailer’s site. That represents a competitive advantage in a market where differentiation can be tough to achieve. And by leveraging their reputation as an innovator who puts the security of customers first, businesses can burnish their own brands in ways that can generate new sales opportunities.

Myth No. 5: Consumer 2FA is long on hype but short on real-world successes.
The brief history of consumer 2FA has certainly not rewarded organizations using premise-based, proprietary systems and credentials – in other words, credentials that can only be used at a single online business. If consumer 2FA implementations have stalled, it’s because these models have not delivered the results, efficiencies and scale they promised.

That’s not the case with managed service providers such as VeriSign, which have successfully implemented the network delivery model and have brought on an impressive number of online brands.

Battling the Irrelevant
These five myths all mirror outdated perceptions of 2FA, perceptions based on decade-old enterprise models that are irrelevant to today’s consumer paradigm. Today, successful online businesses are leveraging industry standards, managed services and shared networks to deliver comprehensive two-factor authentication for consumers.

Poking holes in these myths merely requires a balanced assessment of the risks faced by consumers, the cost of implementing 2FA, and the resulting quality of the consumer’s online experience. Doing so will reveal why it makes good business sense to protect a company’s customers – and its own vital interests – with a strong two-factor authentication solution.

Sources

The author is vice president, VeriSign India.