Most Americans don’t have a clue what https:// means

55% of US adults couldn’t identify an example of 2FA, and only 30% knew that starting a URL with https:// means that the information sent to that site is encrypted.

… and the Pew Research Center discovered plenty of other sobering facts about what Americans know and don’t know about cybersecurity and privacy.

The survey

The Pew Research Center conducted a survey which tested Americans and their digital knowledge, asking 4,272 adults in the US a series of 10 questions about a range of digital topics, such as cybersecurity or who the bearded guy in the photo was (answer: Twitter co-founder Jack Dorsey. Only 15% got that one right, but how that fits into cybersecurity and privacy concerns is a question that Pew didn’t address.)

How well the respondents did depended a great deal on what the topic, term or concept was, as well as how old they were and what their level of educational attainment was. Young people, you did better. College-educated people, you did better, too.

Respondents did A+ work when it came to identifying where you can get phished, for example. In an email? On social media? In a text message? On a website? Or how about the correct answer: “all of the above?” Ding-ding-ding, we have a winner! 67% of Americans knew that you can get phished all over the place.

Respondents aced the question about what cookies are, as well – 62% correctly said that websites that use cookies can track your visits and activity on the site.

Where we fall flat on our 2FA faces

Here’s where we aren’t so smart: only 28% of adults could identify an example of 2FA, which is one of the most important ways that people can protect their personal information on sensitive accounts.

To be fair, the question tossed a number of images of security strategies together: if you go to pages 14-15 of the survey, which you can download here, you’ll see that respondents were asked to pick the image that represented 2FA.

In the mix were a reCAPTCHA image with wavy words you need to type in to prove you’re not a bot; a customer login asking for a username, password, and a six-digit code (the correct choice); a request to confirm a security image (pretty flowers!) and keyword before entering your password; one of those security questions prompts that wants you to fill in your “who was your childhood best friend” type questions (the answers for which, all too often, can be easily mined from social media, unless you do the smart thing and answer with Goobledygook Galore); “all of the above” or “Not sure.”

Forty-two percent said “all of the above.” Only 28% spotted the request for a code and knew that it, and it alone, was indicative of 2FA.

What is this https:// of which you speak?

Only 30% knew that starting a URL with https:// means that the information sent to that site is encrypted. 53% weren’t sure, but at least they didn’t choose some of the incorrect guesses: that the content on the site is safe for children (wrong, and, thankfully enough, chosen by only 1% of respondents), that the site is only accessible to people in certain countries (wrong, and chosen by only 2%), or that the site has been verified as trustworthy (wrong, and chosen by 12%).

HTTPS sites are more secure because they use Transport Layer Security (TLS), which establishes an encrypted link between the browser and the web server before any HTTP requests are sent. As we’ve explained, TLS protects your HTTP traffic from eavesdropping and manipulation as it moves over a network, between you and the site you’re using. It doesn’t say anything about the security or legitimacy of the site itself, though.

Unfortunately, the padlock symbol that your browser displays when you’re using HTTPS can fool users into thinking it does. Many assume (not least because security professionals spent years telling them to) that the padlock means the website they’re looking at must be the real thing, rather than a fake.

The FBI recently warned that phishing sites are preying on this misunderstanding and using TLS to appear more legitimate to victims.

More takeaways

These are some of the other subjects the Pew Research Center quizzed Americans on, along with the results:

• 59% know that advertising is the largest source of revenue for most social media sites, rather than things such as exclusive licensing deals (4%) or corporate consulting (2%).
• 48% of adults correctly answered that a privacy policy is a contract between websites and users regarding how their data will be used.
• 45% know that net neutrality refers to the principle that internet service providers should treat all traffic on their networks equally.
• 24% are aware that “private browsing” or “incognito mode” only hides online activity from other individuals using the same computer. That doesn’t mean that the user’s activities are masked and not being captured by the websites, the internet provider, or an employer if the browsing is being done on a work computer. (We pointed that out recently when Google brought Incognito mode to Maps).
• Just 29% of Americans correctly named WhatsApp and Instagram as two companies owned by Facebook.
• Only 15% correctly identified Jack Dorsey. 77% reported being unsure of who was in the photo. Sorry, Jack.

A brief explanation of 2FA

So, about that 2FA question that so many of us got wrong: If you want a technical deep-dive into what 2FA is, please do check out Chester Wisniewski’s 2FA article here. If you’re feeling TL;DR, check out Maria Varmazis’s 2FA article, which breaks it down into simple but helpful terms.

In essence, 2FA is when you prove who you are to a website or service using two out of these three things:

• Something you know – like a password
• Something you have – like a numerical keycode
• Something you are – like a fingerprint

As Maria explains, many of us who’ve worked in the corporate world at some point have carried a small key fob or token with us, and typed in the displayed numbers when logging in to a core work system. That’s one example of a 2FA factor: that code is something you have.

Similarly, if your favorite shopping or banking website has been asking you to verify your identity by typing in a numerical code texted to you, that’s also 2FA at work.

2FA works as an additional layer of security on top of things like passwords, which are all too frequently stolen by hackers or exposed in databases left unprotected, without a password, online.

If you’re offered a chance to secure an account with 2FA, we think it’s a smart idea to do so. It’s a good security technique to recognize and to get to know better if you aren’t sure just exactly what it is and isn’t.