Two-factor authentication (2FA) and why we do or don’t use it


The results of a study into users’ security beliefs, knowledge and demographics make for some interesting reading – particularly around two-factor authentication (2FA). “How I learned to be secure” reveals how these factors influence where people turn for security advice and what influences their decision on whether to act on that advice.

The study

The joint University of Maryland and Johns Hopkins University study asked 526 US users questions about their security behaviours, advice sources, reasoning and beliefs. It focused on four important areas: 2FA, password strength, antivirus use and software updating.

The study team hopes the findings will reduce the amount and improve the quality of security information available. And that this, in turn, will make it easier for users to learn good security behaviours. They begin their paper by noting:

Few users have a single, authoritative, source from whom they can request digital-security advice. Rather, digital-security skills are often learned haphazardly, as users filter through an overwhelming quantity of security advice.

Use of 2FA

(If you’re not familiar with 2FA and want to know why it’s so important, take a look at Two-factor authentication (2FA): why you should care.)

So, how many people use 2FA?

  • 25% used 2FA on all of the devices or services that offered it
  • 45% used 2FA on some, but not all services
  • 28% never used 2FA

Those who used 2FA on some, but not all, of their digital services were asked why they used it where they did. Their answers?

  • 62% said they used 2FA where they were required to do so
  • 28% said that they used 2FA for the services that were more important to them
  • 8% said that they activated 2FA where it was easier to do so

And non-use

Of those who did not use 2FA for any services…

64% had never seen information about nor had been prompted to use this [2FA] security strategy

An interesting finding when you consider that the survey also revealed 80% of respondents identified prompts (including invitations to use 2FA) as their reason for adopting at least one of their good digital-security behaviours.

When questioned why they did not use 2FA:

  • 41% said inconvenience
  • 15% said privacy concerns

A lack of negative experience and belief that their data had no value were the next most common reasons given.

Marketing departments should take particular note on what that ‘inconvenience’ is really about:

…users reject advice not only because it is inconvenient and they have maxed-out their compliance budget, but because it contains too much marketing material.

And when it comes to privacy concerns, these may well also be heightened by people’s understanding (or lack of understanding) about what 2FA is for:

  • 67% said the main purpose of 2FA was security
  • 21% believed 2FA would ensure they could regain access to their account
  • 10% believed 2FA was to enable a website to contact them

The last is particularly concerning – are unwanted marketing calls and emails (or at least the possibility of them) deterring people from adopting good security practices?

Who do you trust?

On examining where people got their advice on 2FA from:

  • 26% said the media was their main source
  • 21% said service providers

Other sources also included family and friends, work, school and negative experiences – in that order.

And the reason they accepted that advice?

  • 42% because they trusted the person or source of the information
  • 52% because the information made sense
  • 5% because they feared a negative event

Based on these findings, to me there are some clear needs when it comes to 2FA. The first is the need to keep explaining in clear terms what 2FA is and what it is for.

The second is that – shock horror – more people will use 2FA if it’s easy to set up or if platforms ask them to use it.