2FA progress uneven as password obsolescence approaches
Consumers use the same password for seven different accounts, on average, according to TeleSign’s Consumer Account Security Report 2016. The report, released Wednesday, shows that nearly half of consumers (46 percent) have turned on two-factor authentication (2FA), an 18 percent increase from the previous year.
Amidst a year in which a record number of breaches have been reported, TeleSign surveyed 1,300 consumers, and found that almost a third of them consider their online life to be worth over $100,000, or even priceless.
TeleSign found that 82 percent of consumers are concerned about their online security, and even more are concerned about being hacked. Over half (51 percent) of those surveyed experienced a security incident in the past year, making consumer worries understandable, and perhaps likely to increase.
Businesses are primarily responsible for the security of online and mobile accounts, according to 55 percent of consumers, and because a third of them stop doing business with companies after their account is compromised, the perception to some extent makes the reality for service providers.
Consumer password duplication is a significant cause of account hacks, stolen passwords, and information being compromised, according to the report, as 71 percent of online accounts are protected by passwords used on other sites. Consumers even recognize passwords as a problem, with only 38 percent reporting high confidence in their protection, and 73 percent saying forgetting them is the most frustrating part of the security process.
TeleSign encourages use of 2FA in part through TurnOn2FA.com, which it founded last year. Over half of consumers would prefer to authenticate with 2FA (53 percent) or personalized security questions (56 percent), and along with TurnOn2fa.com, efforts by groups like the National Cyber Security Alliance and the White House’s “lock down your log-in” campaign are making an impact, TeleSign SVP of Marketing Brian Czarny told Biometric Update in an interview.
“They’re really pushing to help consumers understand what two factor authentication is, and the way to get started with it, and why it’s important.”
For biometrics providers, one of the main takeaways from the report is that only 23 percent named “behavioral or static biometrics” as their preferred method. This may be part of a broader need for consumer digital security education and awareness.
“Biometrics is still a new device for a lot of people,” Eric Lammerding of TeleSign told Biometric Update. “Based on the data they tend to prefer the things that they’re familiar with, whether its personalized security questions, or 2FA, or strong passwords. Those are the things that are most obvious to consumers on a general basis, so that seems to be what they prefer. I would imagine we’ll see that change over the next couple of years, but based on what we’ve seen so far, that’s how things stand.”
Perhaps surprisingly, millennials are the group with the riskiest habits, as 64 percent have had an account compromised or hacked or a password stolen, compared to 44 percent from all other generations. Millennials were found to use the fewest unique passwords, perhaps in because they were also found to tend to place a lower value on their online life.
This means that while they may have grown up with passwords, millennials are not well-secured by them, and that those in the demographic have not necessarily made any conscious choice of secure authorization method yet, leaving the field open.
Those who have been hacked are almost twice as likely to use 2FA as those who have not, 60 to 32 percent.
“I’m not sure if it’s really getting that much easier, but it’s getting more prevalent. You’re starting to see more and more businesses offer some form of two factor authentication now than you have in the past. And I think, generally, education and awareness have increased.”
The report found not only that not knowing it was available is the main reason for not using 2FA (35 percent), awareness is also behind the other main factors against it. Significant numbers of consumers say they “don’t know what it is” (27 percent), they “don’t know how to turn it on” (23), or that none of their accounts offer it (20).
Given the lack of awareness, some who answered the latter of those reasons may more accurately have meant the first.
“I think a lot of it comes down to they didn’t know it was available to turn on because they weren’t able to actually find it,” said Czarny. He recommends websites and apps encourage 2FA as part of their registration process for new users, and make it more visible in the log-in process for existing accounts.