I was recently asked to discuss Ashley Madison and the wider security impact on users (on Sky News) and when I mentioned two-factor authentication, the presenter asked me to explain what it is. This happens a lot when I recommend two-factor authentication and always serves as a reminder that those things which we in the information security industry think of as basic security are not particularly well known to the average computer-user. For something pretty simple, easy-to-use and effective, I’ve long had the impression that a lot of people don’t ‘get’ two-factor. If they don’t know what it is, you can be pretty sure they’re not using it.
To explore this observation further, I surveyed 1,000 people in the UK and asked them the following two questions:
- Do you feel confident that you know what two-factor authentication is?
- Do you use two-factor authentication where it is available?
Do you feel confident that you know what two-factor authentication is?
28.3% answered ‘yes’, 71.4% answered ‘no’ and 0.3% ‘other’. The ‘other’ category broke down into ‘a second opinion’ (which I assume to mean, the respondent would like a second opinion), ‘have never heard of it’ and ‘ok’ (which I assume to mean, the respondent feels ok about their understanding of two-factor).
From the results, it’s interesting to note:
- Among people in the UK, women were less confident than men (79.3% of women selected ‘no’ compared to 64.4% of men)
- The age group 55-64 years was least confident (83.8% selected ‘no’) and those age 35-44 were most confident (64.3% selected ‘no’)
- Those aged 18-24 years, often considered the most technically-savvy generation, were actually very representative of the wider sample (72.1% selected ‘no’; 27.9% ‘yes’)
Do you use two factor authentication where it is available?
19.2% answered ‘yes’, 25.2% answered ‘no’ and 55.5% answered ‘I don’t know’.
From this, we can read that 25.2% of people decisively do not use two-factor authentication where it is available and a further 55.5% don’t know what it is.
The results tell us:
- Men are slightly more likely to use two-factor authentication than women (22.3% compared to 15.6%)
- Those aged 45-54 years are the age group most likely to use it (22.2% use it where it is available) and those aged 18-24 are least likely (15.7% use it where available)
- It seems a pretty fair assumption to say that if a respondent has selected ‘I don’t know’, they’re unlikely to be using two-factor. If we proceed with that assumption and combine the totals for both, this gives us a figure of 80.7% who don’t use two-factor authentication where it is available
Taking responses to the two questions together, approximately 70-80% of people don’t use two-factor authentication. One issue from my point of view, is the name: it sounds far more technical and complicated than it actually is. A wider issue is lack of awareness, and it strikes me that if we can help people understand how easy-to-use and effective two-factor authentication is, for example by websites pushing two-factor more actively, that will be a big win for information security.