We engage with companies all the time around the perils of credential theft and what to do about it. Just about every security expert I know agrees that on-line services must be protected with more than just a static ID and a Password, since its clear that 2/3 of account take-overs result from the exploitation of weak or stolen credentials, billions of credentials have been stolen, and people reuse credentials 61% of the time.
Once your organization comes to grip with the fact that some additional layer of security should be employed, the inevitable question comes up: "Should we protect all our users, or make it an Opt-In?"
(To be clear, this discussion only applies to public/customer facing services. If you implement additional login security for your employees, they must comply as a matter of employment.)
Before I jump into the issues that come with Opt-In, If you have have selected 2-factor solution that engages the user ever login or any solution that requires the end-user to "do anything" to make it work (i.e. download/install something, request a FOB,, etc.), the best you can do is Opt-In.
If you have chosen an adaptive technology like aPersona Adaptive Security Manager or another adaptive solution, you have a choice to implement the solution for every user as a matter of practice, or make the service an optional Opt-In.
Let's examine the pitfalls with Opt-In Login Security
Undermining Your Brand Image
When considering an Opt-In strategy, one of the first things to think though is how your announcement of this extra layer of security will be perceived by your customers. Even though you know that your customer data is not secure with ID and Password alone, your customers don't actually know this. They think you are already looking out for their interests and doing all you can to protect their data. In reality, this is what you are communicating to your customers: "Our solution is NOT SECURE, but if you want, you can make it secure, it's really up to you. Good luck!" This may not be the kind of message you want to put out there for your brand.
User Confusion & Frustration
The first things that go through your customer's mind when you announce an Opt-In security feature: "Wait, wait, wait, I thought my account was secure? It's not? What are you asking me to "do"? How do I do it? I don't understand!, Ugh, I don't have time for this!" Think through how your messaging will come across. For most of your users, you are putting them into a bit of a spot by asking them to "Do Something" and worse, you are leaving the decision about the security of your platform up to them.
Not only will you damage your Brand and cause user frustration, but in general, Opt-In adoption rates are always very low. Users just don't go out of their way to do something extra. So your organization ends up spending time implementing a solution that isn't really used. It's not really a great use of resources if you think about it.
So while you can most certainly implement login security as an Opt-In, consider the ramifications before you do. If your concerned about exorbitant costs to protect all your users or the complexities that you have heard about in implementing additional layers of login security, we would like to set your mind at ease. The issues you may have heard about Adaptive MFA high fees, difficult integration, end user interruptions, lack of flexibility, and operational complexity, are truly things of the past.
Adaptive Multi-Factor Authentication allow your organization to narrow your user threat landscape from every device and every network on the Internet, to a very narrow set of just a couple of user approved devices and a few specific network locations. For the most part, it's entirely invisible to the end user. Banks have been doing this for years. Ignoring the credential theft issue is not really an option these days if your service holds any amount of PII, Health, HR, or Financial data.