2FA, I like it but I hate it.

When Pennsylviania State University decided to change their two factor authentication system Jake Weidman and Jens Grossklags took advantage of the situation to look at the transition from an organisational perspective. Their paper “I Like It, but I Hate It: Employee Perceptions Towards an Institutional Transition to BYOD Second-Factor Authentication” provides some interesting insights. They surveyed staff about the change to explore their perceptions of the benefits of shifting to a new authentication technology and the usability of the new app based system.

This study provides some really interesting insights for change management for security systems and policy. Shifting from a token to an app presented some interesting challenges as this required a number of operations and a variety of skills of employees (downloading, configuring) that weren’t required with the simpler technology. My understanding of BYOD technologies from studies in other environments is that organisations are struggling to manage the employees desires to bring their own productivity tools. This study revealed a different attitude from some employees who appeared reluctant to use their personal device for a work related purpose and felt that some form of compensation would be appropriate. Relying on BYOD for authentication introduces some concerns such as less control of device security and over user experience, as devices differ in their usability. Users that appreciated the security advantages appeared to adjust better to the new technology reporting that the new system was easier to use.
This paper provides an interesting case study of employee perceptions and attitudes to major security policy changes and in particular moving to employee devices app based two factor authentication.

Weidman, J., & Grossklags, J. (2017, December). I Like It, but I Hate It: Employee Perceptions Towards an Institutional Transition to BYOD Second-Factor Authentication. In Proceedings of the 33rd Annual Computer Security Applications Conference (pp. 212-224). ACM.