Companies are increasingly insisting on or offering two-factor authentication for access to online services – banks often insist on it, Google offers it, many others promise it, and security experts recommend it. It’s a response to the vast number of passwords that have been stolen and put at risk by hackers (up to 167 million from just 7 recent hacks according to figures reported by DataLossDB.org.) But until now there has been no study into what the consumer thinks about multi-factor authentication.
Sponsored by Nok Nok, itself an online authentication company, the Ponemon Institute has now published research into Moving Beyond Passwords: Consumer Attitudes on Online Authentication. Ponemon questioned 1,924 consumers aged between18 and 65 in the US, UK and Germany. The results show conflicting attitudes – many users accept that passwords are no longer sufficient to protect their information, but many get frustrated by the complexities, and frequent failures, in the use of an additional authentication factor.
“It’s not that web services are deliberately trying to irritate their users...” says the report. “But it’s a fine line because providing strong authentication has traditionally brought great cost and complexity for web services and significant hassle for consumers.” The effect and current authentication landscape is confused and confusing. Some web services insist on two-factor authentication, others offer it, some insist on and require strong passwords and others leave it to the consumer, merely recommending strong passwords. The web services have to chose between a higher risk of insecurity in customers’ personal data (and potential censure from data protection regulators), and lost revenue when frustrated consumers stop using the service because of log-on complexities.
Around 50% of respondents were frequently or very frequently unable to perform an online transaction such as buying a product or service because of an authentication failure. Despite this (possibly because consumers accept that a primary problem is themselves forgetting a long or complex password), a mean of around 50% of users do not trust systems or websites that rely solely on passwords, while around 40% do not trust those that do not require frequent password changes. (Incidentally, the survey results confirm an anecdotal observation: Germany tends to be more concerned about personal privacy than the US, while the UK is often ambivalent somewhere between the two.)
If consumers are unhappy with passwords alone, the question then is what is the favored additional factor for authentication. In general, consumers seem to accept the use of biometric authentication, especially if the organization concerned doesn’t hold the biometric data: 69% in the US, 70% in the UK, and 74% in Germany. The favored biometric is voice recognition (around 80%) followed by facial scan (around 70%). Least favored of the primary biometric options in Germany is fingerprints, while in the US and the UK it is iris scans.
Banking institutions are the most trusted to hold the multi-factor credentials in all three countries. According to the respondents, the top five organizations that have the most secure authentication (in order of best to worst) are banking institutions, credit card and internet payment providers, social media, retailers, and internet service providers. Since ‘users’ will always side-step security restrictions that get in their way, understanding what they want and will accept will ultimately lead to better authentication security.