Internet Companies Must Do Better at Explaining 2FA

Social networks are a major security concern. They are used as a vehicle to distribute scams and malware, and they are used as a source of personal information for targeted spear-phishing. Tyntec, which describes itself as 'a mobile interaction specialist,' used YouGov to survey 4000 social network users in the US, UK, Russia and Brazil to gauge users' attitudes toward social media security. 

What the survey doesn't do is specify which social network is being used. In the US and UK it is almost certainly Facebook; but in Russia it is just as – if not more – likely to be VK (originally VKontakte, which means 'in contact'). In Brazil, Orkut is still popular, although Ryan Holmes, CEO of Hootsuite, wrote in Forbes last month, "Brazil already counts 65 million Facebook users, second only to the U.S. It’s the world’s second-biggest user of Twitter (with 41.2 million tweeters and counting) and the largest market outside the U.S. for YouTube."

As a result, the Tyntec survey provides attitudes towards certain aspects of security, but gives no indication on whether those attitudes are specifically colored by the security of different social networks.

For example, the survey shows that 35% of Russian social media users claim that their accounts have been hacked. This compares to just 7% in the UK, and 12% in the US. What these figures don't tell us is whether Facebook is more secure than VK,  whether Russian hackers are more effective than western hackers, or Russian users are simply less security-conscious than western users.

There is a similar difficulty in interpreting users' biggest security concerns. "Brazil and Russia respondents," says the report, "claimed identity theft tops the list of greatest social media concerns, with 44% and 28% respectively." UK and US respondents, however, "identified the lack of control over sharing as most concerning, at 36% and 38%." The survey was conducted in July 2013; that is after the first revelations of the NSA's Prism surveillance program (and the alleged involvement of social media giants including Facebook, Google and Microsoft); but before revelations of NSA spying in Brazil. It is possible, then, that politics has played as great a part as geography in users' responses to their current security concerns.

There is a further possible contradiction in user attitudes shown in the use of two-factor authentication to increase security. The highest acceptance of SMS-based 2FA is in the very countries (Brazil at 46% and Russia at 42%) with the highest rate of account hacks. The UK and US, with much lower rates of hacked accounts are also much less likely to adopt SMS-based 2FA (12% and 11% respectively). On the one hand it could be suggested that the prevalence of hacking increases interest in 2FA (Brazil and Russia); but it could equally be suggested that the lack of 2FA does not dramatically increase the likelihood of becoming a victim.

But there is one thing that is very clear: most users, everywhere, do not understand the concept of two-factor authentication. Replies to the question, "Do you know what 2-factor authentication or 2-step authentication is?" were remarkably consistent: 79% in Russia, 78% in Brazil, 77% in the UK, and 72% in the US all said that they do not understand the term.

This, according to Tyntec, is the single biggest take-away from the survey: if social networks wish to improve the security of their customers, they must do a better job in explaining and delivering two-factor authentication. "Internet companies need to clearly communicate why mobile numbers need be shared to launch 2-factor authentication, as it’s the most effective tool in combating hacks and protecting their end-users’ information,” says Thorsten Trapp, co-founder and CTO at Tyntec. “At the same time, Internet players need to make end-users feel more comfortable sharing their mobile number by ensuring that their information will only be used for security reasons.”

What’s Hot on Infosecurity Magazine?