Why is two-factor authentication a paid feature? [Archived]

Two-factor authentication is now a free feature available for everyone.

The post below is kept for historical purposes.

This is a tricky question without easy answers. On the one hand, it can be reasonable to believe that “2FA increases user security, and thus should be free—nay, should be a fundamental human right.” This argument is compelling, and in a world where software is built and deployed without cost, might just work. One who makes this case might also be aware of the growing trend of non-privacy focused companies offering this feature for free, and maybe even requiring it in some cases. This certainly doesn’t make our model look generous.

But there are a few distinctions to keep in mind. The first is that we aren’t as well-capitalized as multi-billion dollar corporations who can afford to subsidize not just this feature, but even their entire product offering in some cases. And as society as a whole may have come to reluctantly learn, nothing is ever quite free. A word that better communicates the underlying nature of “free” is “subsidized”. This helps retain the perspective that while this product may be free for me to use, the cost must be picked up somewhere else in the balancing sheet. And the balancing sheet must, of course, balance.

In a word, when you set up 2FA with other services at no cost, the major distinction is: 2FA isn’t their main product. It isn’t their main source of revenue. It’s not how their company stays afloat, and it would be largely tangential were they to pivot to offering security products at a markup.

For us, 2FA may very well be one of our most important offerings, and makes up some percentage of why users choose to pay us. When you remove this security feature from the offering, that we as a security company are charging for, users may not be compelled to contribute for their free usage of the product. The result was, in our history, not enough users were paying their fair share to keep the platform afloat, and survivability was in question. A common sentiment expressed amongst users who were not swayed by the paid offering was: “the free version is enough for me.”

This is because our free product is quite generous and itself feature complete. It offers a free and encrypted notes app on every platform, including Mac, Windows, iOS, Android, Linux, and Web, and offers unlimited devices and unlimited notes. Encrypted notes synced to all your devices at the speed of light, all at no cost whatsoever. This is what a lot of people had been looking for, and nothing more. We had satisfied a market demand, but had forgotten to ask for money.

Since then, our paid subscription offering has improved and grown significantly, to the point where for some users, it helps them irreversibly improve their work and personal lives. This marks significant progress in attaining far-reaching survivability and longevity thresholds, which along with privacy, are our core tenets.

The question of “fundamental rights” also makes it difficult to address how we handle security features in the future. Does every feature we release in the future that improves security need to be free? A case could definitely be made for that. It can be especially easy for a user to make that case not fully understanding the financial implications—not having to be the one to balance the balance sheet.

As a company that refuses to take on venture capital due to the havoc that VC has wreaked on corporate incentives, and whose survivability is decided only by the margin of users who decide to contribute monetarily, every decision we make needs to be backed by solid business practices that prioritize survivability over the question of rights. Our reality is, we would not be here discussing the question of what features qualify as rights if we couldn’t convince enough users to pay us in the first place. It’s all made much tricker by the fact that these two aspects are inextricably linked.

As for what the future holds, two questions come to mind:

Will two-factor authentication always be a paid feature, or will it be free one day?
Will all features developed in the future that improve security be paid?

In truth, we will evolve to better answer these questions, as it’s not yet evident. Of course, any software update we release that addresses our underlying encryption model is—no question—rolled out to all users at no cost. However, for layered security add-ons like 2FA, and other features we haven’t necessarily committed to, like hardware 2FA, they can only be deferred to our future circumstances.

The pithy essence of the situation is: we want to make everyone happy, but without healthy revenue, we can’t make anyone happy.