Despite security fears, most Americans don't use two-factor authentication

The June study, conducted online by Harris Interactive on behalf of Impermium, explored Americans’ limited adoption of two-factor authentication, levels of worry related to account compromise and preference for sites to offer less-disruptive forms of protection.

A majority of consumers have been affected by typical online threats: A little more than half (56%) of consumers have been a victim of a virus or malware infection on a computer; 37% have been a victim of a phishing attack; 26% have been a victim of account compromise (e.g., hacked, broken into, password theft); 20% have been a victim of a social media phishing attack; and 5% had a phone lost or stolen that resulted in unwanted access to sensitive information.

Despite the recent hype, consumers remain reluctant to adopt two-factor authentication. Impermium and Harris uncovered that an overwhelming majority of Americans have never signed into a website using two-factor authentication (75%), and only 25% have ever signed in with two-factor authentication as a preventive security measure.

“Despite heightened awareness of cyber threats and a clear demand for account protection, Americans are still hesitant to adopt new prevention techniques,” said Mark Risher, CEO of Impermium, in a statement. “Two-factor authentication has been held aloft as a ‘silver bullet,’ but a security system that isn’t turned on provides no security. Only with intelligent, risk-based authentication mechanisms can service providers effectively protect users from account hijacking. Consumers and websites need an intelligent solution that is secure yet simple.”

So what’s the barrier to adoption for two-factor authentication? The findings show that ease of use and privacy have much to do with it. About a quarter (27%) decided against signing onto a website with two-factor authentication because they did not want to disclose their mobile number and/or because they found it inconvenient. Meanwhile 30% say that they just haven’t run across two-factor authentication – i.e., they’ve never needed to use it.

Respondents were split in terms of determining who is primarily to blame for account compromises. While 39% believe websites are to blame by not offering or maintaining sufficient security features, 37% believe the consumer is to blame due to weak passwords or falling for scams like phishing.

A majority (77%) of those who have not yet been a victim of account compromise said that they are at least somewhat unlikely to continue using a site if their account was compromised. When asked about which types of accounts they are most worried about getting hacked, respondents said that email account compromises drive the most anxiety. A full 79% are at least somewhat worried about having their email account compromised, compared to 71% for online bank accounts and 55% for social media accounts. When asked how concerned they are about cloud data compromise, 43% of the respondents said they are at least somewhat worried.

What’s Hot on Infosecurity Magazine?