What We Can Learn from the Fortnite 2FA Rollout
I was having lunch with my family this past Sunday afternoon. Out of nowhere, my two oldest sons, Caleb, 13, and Nathan, 11, asked, “Dad, can we have 2FA?” You may be thinking that my kids are into IT and cybersecurity, but they aren’t.
Because I was caught off guard and wanted to know if we were talking about what I thought we were talking about, I asked them, “What does 2FA stand for?” Caleb answered, “Two Factor Authorization.” “Close. It’s Authentication,” I responded.
I thought about launching into a lecture describing the difference between AuthZ and AuthN, but I decided against it, since after-all, I’m talking about this with my kids and I still don’t know why.
“Why do you want 2FA?” I asked. Nathan answered, “I don’t want to get scammed.” That’s good, but typically not enough motivation. I wondered what was really going on here, so I pressed for more.
My kids, like many 11 and 13-year-old’s, are really into Fortnite. They play it plenty, and my wife and I work hard to make sure it only happens after their other responsibilities are fulfilled. Eventually, the true motivation came through. My son, Caleb, explained that they cannot use some in-game features without enabling 2FA. Specifically, they were looking to trade the in-game currency, V-Bucks. Because of scams on the internet, Fortnite wisely restricted that feature to users that enabled 2FA.
I helped my kids setup 2FA with out-of-band authenticators loaded on their iPods. The setup was slick and quite similar to other commercial 2FA enrollments I’ve done.
What can we learn from this?
My kids asked me for 2FA. I didn’t tell them they had to. They asked me. When was the last time one of your end-users at work asked for increased security? It’s probably never happened. We force security onto our end users, expending our precious political capital to protect the enterprise. We fight for every win and it’s exhausting. What if our end-users approached IT like my kids approached me, “Dad, can we have 2FA?”
What is the formula for success here?
Epic Games, the company behind Fortnite, had a real challenge on their hands. They had to get millions of kids to enroll in 2FA to keep their platform safe and secure. They did it with education, incentives, and advanced features.
Education
My 11-year-old doesn’t have his CISSP certification, but he knows that he doesn’t want to get scammed and 2FA will prevent that. Epic Games communicated the risk and solution in simple and easy to understand terms that the average 11-year-old can totally grasp. If Epic Games can communicate this concept to millions of kids so effectively, that they can in-turn communicate the message to their parents, that’s a huge win.
We need to do likewise. Cybersecurity education needs to be simple to understand and simple to adopt.
Incentive
I googled “Fortnite 2FA.” The “I’m feeling lucky” first hit revealed a nice incentive promotion:
Your account security is our top priority! Protect your account by enabling 2FA. As a reward for protecting your account, you’ll unlock the Boogiedown Emote in Fortnite Battle Royale.
Yes, people, you too can have the Boogiedown Emote. What on earth is a Boogiedown Emote and why would I want one? I don’t know. Go ask the closest 11-year-old.
How much money does it cost Epic Games to give away Boogiedown Emotes? I’m guessing close to nothing. It’s a small but effective incentive. We need to find an equivalent incentive to offer our employees to engage in the right security behaviors.
Advanced features
This was the main hook for my boys. Scams are bad, emotes are cool, but what they really wanted was the ability to trade V-Bucks. I think enterprises get into a tough spot because some of our digital assets that should be protected by 2FA are password only, and we need to do the remediation work to bring them in-line.
It would be great if we could couple the 2FA rollout with the unlock of an advanced feature-set. For enterprises, this could be a new app or website. The trick is to require it for the advanced features, but then enable it for everything else that should be protected.
My boys needed 2FA to trade V-Bucks, but their entire Fortnite account and gameplay experience is more secure as a result.
An interesting reversal
It wasn’t long ago that enterprise technology was the most-advanced and most-secure technology in the world. Today, it’s quite possible that you have better security on your Xbox than you have on your corporate financial application.
Ever since the tables turned with the dawn of the “consumerization of IT,” I’ve paid attention to the consumer tech world for tips on what I should be doing in the enterprise. This is just the latest example.
“Dad, can we have 2FA?” The answer is yes.