Why more people don't use simple two-factor authentication

It's an easy way to keep your accounts safe. The hard part is getting people to enable it.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
5 min read
Security keys that provide two-factor authentication are an important tool for keeping accounts secure. But most people aren't using them.

Security keys that provide two-factor authentication are an important tool for keeping accounts secure. But most people aren't using them.

Alfred Ng/CNET

Even the simplest cybersecurity suggestion can be challenging for the average person to embrace.

Not everybody wants to pay for or set up a virtual private network or use a password manager. But there's one simple, cheap technique you can employ called two-factor authentication, which protects your account if hackers ever steal your password.

Chances are, you're already using a form of it. When you pay for an item with a debit card and are asked to enter a PIN code after swiping, that's two-factor authentication. It's ultimately just using two ways of proving your identity, most commonly a password and then a code sent to your phone.

Two-factor authentication is one of the easiest ways to prevent hackers from hijacking your accounts. And at a time when hacks of retail chains like Chipotle, websites like Yahoo or credit-check bureaus like Equifax happen with a startlingly high frequency, it's a practice you should start making a habit.

Yet, it's still a long way from widespread adoption, researchers from Indiana University said at the Black Hat security conference on Thursday. Indiana University Professor L. Jean Camp and Sanchari Das, a doctoral student at Indiana University Bloomington, conducted a study of 500 people to find out why the simple security measure isn't popular, despite its benefits and ease.

Watch this: Google is releasing its own 'Titan' security key to prevent phishing

For their research, they purposely sought out tech-savvy students on campus to make sure the result wasn't affected by people who just didn't understand what two-factor authentication is. They wanted participants who had more security and computer expertise than the average person.

What they found was that while these students understood technology, they didn't understand why they needed to take this cybersecurity precaution.

"There was a tremendous sense of confidence," Camp said. "We got a lot of, 'My password is great. My password is plenty long enough.'"

Many who do use two-factor authentication rely on an SMS version of it, where a PIN code is texted to their phones. But it's not as safe as using a physical security key for two-factor authentication, because text messages can still be intercepted, like what happened with Reddit on Aug. 1.

"We learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept," Christopher Slowe, Reddit's chief technology officer, said in a post.

Camp said many of the students in the study didn't feel like they'd ever be hacked and didn't see a need for two-factor authentication -- notions the majority of the US population might share.

Two-factored challenges

In a survey published last November, Duo Security found that less than one-third of Americans are using two-factor authentication, while more than half of Americans had never even heard of it.  

In January, a software engineer from Google revealed that less than 10 percent of Gmail accounts were using two-factor authentication.

Google's Titan Security Key plugged in to a computer's USB slot.

Google's Titan Security Key plugged in to a computer's USB slot.

Sarah Tew/CNET

Camp and Das suggested that the best way to get more people to use two-factor authentication would be to better communicate the risks. The same way "Smoking Kills" signs next to cigarettes drive the point home, websites and apps should let users know that a strong password might not be enough.

It doesn't matter how long your password is -- most login information is stolen in database breaches where hackers can just copy and paste passwords. That's why two-factor authentication is a useful second line of defense.

The two researchers sent this suggestion to Google and Yubico, a security company that provides two-factor authentication with a physical key you plug into your USB port. Gmail, Facebook and Twitter are among the many websites that allow for Yubikey as another form of identification.

So far, it hasn't been enough.

"There is an additional step in usability, which is motivation," Camp said. "You can enjoy driving the car, but you're not going to enjoy putting on your seat belt. You have to communicate, 'If I'm taking this hassle, it's for my own good.'"

Key notes

The lack of interest is a real challenge for the folks at Google and Yubico. They want to make sure their users are safe, but few people are actually using their security measures.

Google introduced its own security key on July 25, but the company understands that people aren't lining up around the block to get two-factor authentication. It knows that the majority of people on Google aren't using the key, but it's hoping to change that.

Sam Srinivas, a product management director for information security at Google, expects things to shift very soon.

"It's still in the early days," Srinivas said. "The message has not gone out as to what the real risks of phishing are, but I think we're at the tipping point."

As more high-profile phishing attacks continue to make headlines, like hackers stealing $2.4 million from a Virginia bank with phishing emails, more people will understand the risks, he said.

The challenge is getting rid of a false sense of security, Stina Ehrensvard, Yubico's CEO and founder, said at Black Hat.

She said account takeovers don't happen when a person has a security key, but people don't feel they're at risk until it's too late.

"Most people that have had their accounts hacked end up using two-factor authentication," Ehrensvard said. "The ones who haven't are thinking, 'Oh, it's not going to happen to me.'"  

But the company isn't going to wait until everyone has been hacked to adopt security keys. Ehrensvard said Yubico has made several efforts to spread the word about security keys, like setting up workshops and awareness programs.

The company has worked with political campaigns, news organizations, financial institutions and government agencies in the last few years, she said. The adoption rate might be slow, but Ehrensvard isn't worried.

"There is no other authentication technology out there that has as good of a return on investment," she said. "But there is a perception problem."

Security:  Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night. 

CNET Magazine: Check out a sample of the stories in CNET's newsstand edition.