According to a recent survey on online security, consumer use of two-factor authentication for online accounts is growing, with almost half now using it on at least one account. In 2016, 46 percent of consumers had two-factor authentication on at least one account, up from 39 percent last year. That is good news.
But like many surveys, the TeleSign Consumer Account Security Report 2016 reveals a disconnect between what people say they want and how they behave. While 72 percent of respondents said they wanted additional security beyond passwords, only 20 percent turned on two-factor authentication after experiencing an account security incident.
Clearly there is some resistance—or at least inertia—to increasing online security. The report also shows that the majority (55 percent) of consumers hold companies primarily responsible for account security. This puts the onus squarely on companies to offer—and maybe require—two factor authentication on their accounts, or at least some more secure alternative to the flawed and failing username-and-password model.
The TeleSign survey (conducted by Lawless Research with 1,300 adults), has some interesting breakdowns of respondents by age group. Millennials (ages 18 to 35) are the most at risk, with 64 percent have had a password stolen or an account compromised in the last year, compared with 44 percent for all others. They also reuse passwords more than anyone else, using the same password on an average of nine accounts, compared with six for everyone else.
This is not surprising. These are digital natives, the generation that grew up online. They are probably more likely to do things online and to be more blasé about security and privacy. The result is a higher risk of compromise. The risk is not just to the consumer. One third of victims of account compromises stopped doing business with one or more companies—a strong incentive for businesses to provide additional security.
An encouraging finding for companies is that it should be possible to improve security and make it more convenient at the same time. The number one security frustration by a large margin at 73 percent is forgetting a username and password. This is an opportunity to offer better security as a customer service.
Which leaves us with the question, what do we replace passwords with? It should include multiple factors. If we take passwords out of the mix, that probably leaves some combination of physical and software tokens, security questions, biometrics and out-of-band confirmation. None of these are perfect. Tokens require distribution and management overhead on the part of the issuer and the user. Questions will be as big a headache to manage and secure as passwords. Biometrics require hardware. Out-of-band confirmation often requires multiple devices and many users are leery of giving a phone number to receive a text or call because of privacy concerns.
But all of these methods, if imperfect, are viable. The best course for businesses probably is to offer a choice and let the consumer choose. This could be burdensome, especially during development and rollout, but in the long run it would improve security and could improve customer satisfaction.
One of the most important steps in implementing security programs will be outreach. The top three reasons for not using two-factor authentication are that customers didn’t know it was available, didn’t know what it was, or didn’t know how to turn it on. The next most common reason is that two-factor is not offered. Getting past those hurdles will clear the way to bring a lot of users onboard.
The reasons for and opportunities to replace or augment passwords are growing. Consumers seem to want better security and a more convenient alternative to passwords. The key is to offer as many options as possible, let the consumer choose, and see what works. There will always be inconveniences, but it has to be better than spending the next two or three years dealing with the fallout of identity theft.