The results of a study into users’ security beliefs, knowledge and demographics make for some interesting reading – particularly around two-factor authentication (2FA). “How I learned to be secure” reveals how these factors influence where people turn for security advice and what influences their decision on whether to act on that advice.
The study
The joint University of Maryland and Johns Hopkins University study asked 526 US users questions about their security behaviours, advice sources, reasoning and beliefs. It focused on four important areas: 2FA, password strength, antivirus use and software updating.
The study team hopes the findings will reduce the amount and improve the quality of security information available. And that this, in turn, will make it easier for users to learn good security behaviours. They begin their paper by noting:
Few users have a single, authoritative, source from whom they can request digital-security advice. Rather, digital-security skills are often learned haphazardly, as users filter through an overwhelming quantity of security advice.
Use of 2FA
(If you’re not familiar with 2FA and want to know why it’s so important, take a look at Two-factor authentication (2FA): why you should care.)
So, how many people use 2FA?
- 25% used 2FA on all of the devices or services that offered it
- 45% used 2FA on some, but not all services
- 28% never used 2FA
Those who used 2FA on some, but not all, of their digital services were asked why they used it where they did. Their answers?
- 62% said they used 2FA where they were required to do so
- 28% said that they used 2FA for the services that were more important to them
- 8% said that they activated 2FA where it was easier to do so
And non-use
Of those who did not use 2FA for any services…
64% had never seen information about nor had been prompted to use this [2FA] security strategy
An interesting finding when you consider that the survey also revealed 80% of respondents identified prompts (including invitations to use 2FA) as their reason for adopting at least one of their good digital-security behaviours.
When questioned why they did not use 2FA:
- 41% said inconvenience
- 15% said privacy concerns
A lack of negative experience and belief that their data had no value were the next most common reasons given.
Marketing departments should take particular note on what that ‘inconvenience’ is really about:
…users reject advice not only because it is inconvenient and they have maxed-out their compliance budget, but because it contains too much marketing material.
And when it comes to privacy concerns, these may well also be heightened by people’s understanding (or lack of understanding) about what 2FA is for:
- 67% said the main purpose of 2FA was security
- 21% believed 2FA would ensure they could regain access to their account
- 10% believed 2FA was to enable a website to contact them
The last is particularly concerning – are unwanted marketing calls and emails (or at least the possibility of them) deterring people from adopting good security practices?
Who do you trust?
On examining where people got their advice on 2FA from:
- 26% said the media was their main source
- 21% said service providers
Other sources also included family and friends, work, school and negative experiences – in that order.
And the reason they accepted that advice?
- 42% because they trusted the person or source of the information
- 52% because the information made sense
- 5% because they feared a negative event
Based on these findings, to me there are some clear needs when it comes to 2FA. The first is the need to keep explaining in clear terms what 2FA is and what it is for.
The second is that – shock horror – more people will use 2FA if it’s easy to set up or if platforms ask them to use it.
JDProuty
2FA which requires a cell phone is a non-starter for my family – no cell phones or cell service!
Paul Ducklin
Not having mobile phone access at all is unusual these days…but if you don’t you don’t, so you’ll probably have to go for an app-based solution. Those don’t need a network connection to generate the codes, just some sort of secure storage for the seed od the code sequence.
Namma
It’s not that unusual, not everyone lives in a country that has access to everything, and I believe it will become more of the norm as people disengage from that which separates them from the real world. The assumption that everyone has a cell phone, or the expectation that everyone must have a cell phone shows a lazy mind. To be truly safe there should be a minimum of three separate methods to engage in 2FA, otherwise sites are showing their disinterest in their users/customers and that they have unrealistic expectations for their own future.
Paul Ducklin
I’ve lived in three countries in recent years, on three different continents, with one of those countries being what is usually called a “developing economy.” In all of them, mobile phone penetration was well over 100%, and mobile phone coverage in metro areas in the high 90% region
Sadly, and perhaps ironically, poverty has been a huge driver of mobile telephony. If you don’t have a job you will never, ever be able to get a landline because you’ll never be approved for the contract you need to sign. But if you can scrape together $5, you can go into a supermarket and come out with a SIM card, a cheap phone, and pay-as-you-go service that includes unlimited *receipt* of text messages for free. You can receive messages even if you have no airtime of your own, because that makes sure that everyone and his dog can spam you with offers to sell you more airtime, get you into debt, get you out of debt, consolidate your debt, buy funeral insurance, cash in funeral insurance, get lucky in love, and win big in lotteries you didn’t enter.
(I ended up buying a $5 phone with a SIM card as a cheap and efficient 2FA “token”. I’d usually get the SMS with the code in it before my internet connection could serve up the web form into which I was supposed to type it. It’s also the most reliable alarm clock I’ve ever owned :-)
So I stand by my claim that it is unusual in much of the world not to have mobile phone coverage, and unusual not to have a mobile phone, by any reasonable definition of unusual, just as it is unusual to find someone who hasn’t watched a TV program in the past month. Many people don’t have mobiles, sure…but in my world, very, very, very many more people do.
But I digress somewhat.
SMS authentication is on the way out because NIST will be banning it for the US public service, and I am assuming that other services will simply follow along – it’s too easy, at least in the USA, to get a SIM card reissued with someone else’s number assigned to it, which causes their messages to go to you, including their 2FA codes.
So app authentication seems to be the way we’re all going, whether we like it or not. The theory seems to be that if you can afford a laptop, the electricity to charge it, and an internet connection, you can afford to get hold of a mobile device that is capable of running an authenticator.
The current favourite backup method is a short-list of pre-printed codes that you lock away somewhere in case your authenticator device blows up, get stolen, goes flat, or falls into the harbour.
In short: there are your three methods, with the one you don’t like (SMS) soon to fall by the wayside, leaving two.
Andrew Ludgate
Just thought I should play non cellphone user’s advocate Paul — as someone in your world who lives in a metropolitan area, I just got a cell phone this year, partially because most of the 2fa methods out there required a SIM card. But then, I also don’t own a TV either and you already know I’m unusual.
But my point to make here is that not all 2FA is created equal. So far, the only painless 2FA that I’ve found that seems reasonably secure is actually Yahoo’s system. It builds the authenticator into its mobile app, and also has other ways of managing authentication should that fail for some reason. Many 2FA solutions by other providers that have been available in the US for years are still not available in Canada, and as you said, SMS authentication is on the way out (and yet that’s still the sole 2FA available to me on many services).
So to increase 2FA adoption, provders need to a) make it available to all customers (even if that means yubikey support or similar for people without a mobile internet device), b) deeply integrate it into their products and c) nag users until they start using it. Doing those three things will unfortunately get us much further along in adoption than education.
cc
My family lives in the good old USA, and zero cell service is available at their house. Zero. It has nothing to do with affording a cellular device. Stop pretending that every place in the world has cell service, and stop pretending that everyone in the world lives in a metro area.
More Info pls
Could you give us some examples of the apps please Paul? I would like to set up an alternative to the phone. I have a cell but it is pay per use and only turned on when needed. On rare occasions when I had no choice but to give my cell # for verification, shortly thereafter I found I was getting spam texts. As I am sure you are aware; the Sophos Mobile Security Android app which I use on my cell (and would highly recommend) is unable to block text spam.
Thanks
Paul Ducklin
The latest update to the Sophos Android Mobile Security app has an authenticator built into it :-) We also have the authenticator app as a standalone download if you want a single-purpose app to do the job.
Sophos Mobile Security, including the soft token authneticator component:
https://play.google.com/store/apps/details?id=com.sophos.smsec
Sophos Authenticator, our stand-alone soft token app:
https://play.google.com/store/apps/details?id=com.sophos.sophtoken
Peter B in Florida
I too lack a cellphone, although I do have a landline (but it doesn’t allow text). Cellphones provide godawful sound quality (why? Are the companies too cheap to pay for even mp3 level audio?) and in the past I have had major problems trying to use them for conversations, so I abandoned them in the early 2000s. I began to see why young people preferred texting to talking on a cell – it’s a real headache.
So I set up a free Google phone number attached to the landline and distributed that as my contact number, which allows me to pick up voicemail and texts as email, and that’s been a good solution for me. When I moved 3,000 miles I didn’t have to change my Google number – just the landline number it was linked to.
However, companies like Yahoo! won’t allow the Google phone number to be used for 2FA, some claiming that the number isn’t legitimate or, as in Yahoo!’s case, that they don’t support VoIP. So I’m denied 2FA by them, and that’s not my choice – it’s theirs. Considering how many businesses now use VoIP to reduce telecomms costs and improve flexibility, that seems pretty shortsighted. IMHO.
Paul Ducklin
Well, any 2FA service that doesn’t also support app-based authentication will soon fall foul of NIST’s new guidelines for US public service organisations, so those that support SMS authentication only will have to adapt.
(Here in the UK, by the way, if you want SMS service and don’t want to make calls or send texts, you can get a tiny featurephone with a 2 week battery life plus a SIM plus unlimited SMS receives for just £1 :-)
DW
My Dog has a cellphone. I’m actually amazed that it appears all the people who don’t have one, have chosen to post here….
Billy Reuben
It’s because the people who are posting are not narrow-minded, nor do they live in a bubble, as Mr. Ducklin does, and continuously demonstrates. Nor are non-mobile users Luddites. More and more people, having been immersed in their handsets for what seems like eons, are coming up for air and thinking “what the #$%@ am I doing with my life?”.
Paul Ducklin
The people posting here – notably CC – are indeed airing their grievances about not having mobile coverage, rather than choosing not to use it.
cc
My parents live in a spot with zero cell service. Yet, they have broadband, and computers. However, no 2FA app will do them any good, because they don’t own a smartphone, because why buy a smartphone when you can only use it if you are at least 20-30 miles away from home?
Paul Ducklin
I think you answered your own question: if you don’t have mobile phone coverage then you can’t use SMS-based 2FA.
Of course, in the developed world it is *very* rare not to have phone coverage. So when our readers make suggestions that assume coverage, they’re hardly being unreasonable.
(Your parents might very well want to buy a mobile phone for when they are on the road – when was the last time you saw a payphone? And if you have a phone many phone companies will provide you with a femtocell that gives you mobile coverage at home via your broadband network.)
TonyG
Well if you enable 2FA on Office 365 and you have Windows Server Essentials with Office 365 integration, then 2FA breaks it. So far I have not found a way round this. Since it is the admin account you are having to use for service integration – the one that needs the highest security – then this just goes to show how well 2FA has actually been thought through as a proper means of authentication. The reality is that it is an ad-hoc Band-Aid fix that sometimes works in some circumstances.
Billy Reuben
Agree with the sentence in this article. More people will use 2FA if it is presented as the standard, rather than an option.
Jesse
You don’t need a phone with service for this. If you use app-based authentication, such as Google Authenticator and have Wifi you can connect your phone to, justice! Especially with Google Voice and Google Hangouts (which lets you accept calls via Google Voice, via Wifi)
cc
The problem is, why would someone buy a phone, just to carry from room to room, running an authenticator app on wifi, if they have no cellular service available? This is the situation of my family. They have multiple computers, there’s no service outside, so why buy a smartphone just for 2FA?
Paul Ducklin
“They” wouldn’t. The suggestion does apply to about 99% of the population in the developed world, though. And even the 1 in 87 people (in cities, the 1 in 387) who don’t have coverage at home might buy a phone to use when they’re in town. After all, your parents have broadband (something that the majority of the world’s population don’t have) so you can imagine them having a tablet or phone for browsing on the sofa via Wi-Fi.
Shariar
Is OATH authentication for 2FA is secure for any financial transaction and why? Is there any example where OATH authentication is used for any financial industry? Is there any limitation for using OATH in financial transaction?