We recently asked 1,000 members of the public in the United Kingdom about their attitudes and behaviours regarding two-factor authentication (2FA). Working in security, it's easy to be in a bubble over what makes good practice, what people should do and what they are doing. When it comes to staying safe online, there can be a big divide between the attitudes and behaviours of security professionals and the attitudes and behaviours of non-security professionals. Exploring how people outside of the security community feel and act when it comes to security measures is fundamental to our success, because these are the people we are often trying to communicate with, to influence and persuade. The start of cyber security awareness month seems like the perfect time to be exploring these issues.
Firstly, we asked 1,000 internet users whether they feel confident that they know what two-factor authentication is. When we're doing awareness-raising, whether internally for organisations or with members of the public, we often find that terms we take for granted in the security community have not been well communicated and explained to people outside the community. The survey results confirmed this, with 38% feeling confident that they know what 2FA is, but 62% answering that no, they were not confident they know what it is.
If the majority of people do not feel confident they know what two-factor authentication is, we can be pretty sure they are not enabling the feature on their internet accounts. If they use online banking they will be using 2FA then, and there will probably be other times they are sent a code by SMS to verify their identify online, but chances are they won't have opted in to use 2FA on their personal email or social media accounts, for example. Our survey results back this up. We asked people whether they were using 2FA where available and found that 26% were, 29% were not and 45% were unsure.
This seems like bad news, and it certainly shows how much work we have to do, particularly when it comes to our communication skills. However, there are signs of progress. I asked the same questions of 1,000 people in the UK in 2015. In that survey, I found that less people were confident they knew what 2FA was and less people were using it: only 28% knew what it was (compared to 38% in this survey) and only 19% were using it (compared to 26% this time). This suggests that we're going in the right direction, but slower than we might like. Helping us along the way are the companies that are taking an innovative approach to encouraging use of 2FA: this week, EA announced that they will give away a free month of Origin Access to players that turn on 2FA (or who already have it enabled). This follows in the footsteps of Mailchimp, who provide a 10% discount for three months when people enable 2FA. It would be great to see statistics that show whether these incentives drive more people to set up 2FA - if so, hopefully more companies will follow suit.
Talking of 2FA inevitably raises the issue of SIM swap attacks and whether recommending 2FA is still the right course of action. We believe that it is the right thing to recommend, that it is an extra layer of defense that might not be perfect, but is certainly better than relying on passwords alone. When we have such an amount of work to do communicating security tools and processes, and driving engagement with them, perfect is the enemy of good, or at least the enemy of better. Plenty of people will argue that we should be advising use of multi-factor authentication (MFA), not two-factor. However, when we still have so much work to do just to get people understanding and engaging with 2FA, is it really realistic to aim for MFA? Or, does the low engagement with 2FA actually represent an opportunity for us to "leap frog" a lot of people straight to MFA? I'd love to know your thoughts - as always, twitter is a great place for these kind of debates!