A recent presentation at Usenix’s Enigma 2018 by a Google software engineer, https://www.theregister.co.uk/2018/01/17/no_one_uses_two_factor_authentication/, discussed the extremely low use of not only two-factor authentication (less than 10 percent), but also of password managers. The ease of passwords being guessed, phished, stolen etc… makes these “optional” protections not just a good suggestion, but a necessity in today’s digital world. The low use of these enhanced security features by normal end users are potentially due to several reasons listed below.
Lack of awareness that these types of security options even exist
Like the old saying goes, What you don’t know won’t hurt you. However, in this case it most definitely can if your account is compromised. Online service providers such as Google’s Gmail do not appear to be doing enough to inform the end users that these options exist. It must be made clear, easy to understand, and easily enabled for end users to actually use it. Users are not going to want to trudge through multi-layered and cryptic menus to get these features enabled.
Lack of caring or interest by end users to enable even if they do know about it
Wait a second didn’t you just say it was primarily because users did not even know that the two-factor option even exists? Yes, I did. However, how many times have you clearly known something was perhaps not the best for your health and you continued to do it? Same behavior applies here. Even if I were to explain it in the clearest way as to why enabling two-factor is important, more than likely, a user would simply ignore it as they don’t feel it is important enough to care about because no way could their account get compromised.
Impatience with getting access to accounts
People simply want to get access to their accounts as quickly as possible with the least amount of work. Waiting for a text, viewing a code generated via an app on a phone, or waiting for a phone call simply takes too much time and too much hassle to log into their account. People do not like waiting and they like everything to be easy and fast!
People simply need to change the way they view security and stop using the most convenient option available. While this is easier said than done it is better to avoid a potential problem than to have to take a few more seconds to log into their account.
While not all online services offer two-factor authentication there is quite a few and the list of them is growing every day. Go ahead and visit https://twofactorauth.org to see if your online service offers it. Perhaps your employees may also be in need of Cyber Security Awareness Training which InteProIQ offers to create that awareness of how to protect their accounts.
Be Active. Be Aware.
David Confeld
VP of Tech Ops @ InteProIQ