However, with my purchase of WSA Complete with its cloud storage/syncing feature I've become more concerned about security. The way it currently is I do not plan to use it for sensitive data, which I already entrust to another provider with a long track record.
Please integrate 2-factor authentication into Webroot SecureAnywhere online console for home and bussines users. Most people are familiar with this as an RSA dongle, a phone app that gives you one time passwords, a phone app that supports push (like Duo Security) or something like the WoW Authenticator. The security lies in that logging in requires something you know (your password) and something you must HAVE (a physical thingy).
Companies require no client-side investment. You can
- use existing phone apps with TOTP
- SMS with code
- Call a phone number and have user press a key
- Retail dongles like YubiKey. Customer can buy their own dongles, Webroot doesn't need to provide or sell them. Webroot's password toolbar service is actually a rebranded LastPass service, which already supports the Yubikey. Part of your product is already two-factor enabled.
As a security company constantly blogging about stolen credentials and leading the way in protecting against browser manipulation, Webroot should be pushing hard for 2-factor authentication. The security code is a nice and effective touch, but it's not a complete solution, which I've explained on the business forum discussion.
Consumers are entrusting you with ongoing, remote access to their most sensitive data. I'm sure you already have it implemented for your employees accessing the backend support sysytem, this should be an easy win. You will need to redesign the authentication flow in the WSA agent a bit, yes.
You even tweeted about how important it is.