Security Experts:

Why Are Users Ignoring Multi-Factor Authentication?

Two-Factor Authentication

News Analysis: Twitter reports that two-factor adoption remains startling low, prompting exasperation and frustration among cybersecurity professionals.

Cybersecurity experts can be a crabby bunch. The debates and arguments last for decades (responsible disclosure, anyone?) and it’s rare to find consensus from all stakeholders on the best risk mitigation decisions.

There’s one very noticeable exception: Multi-factor authentication (MFA) is universally hailed as a leapfrog security measure that drastically reduces online threats like identity theft and online fraud. Security experts routinely recommend that users implement MFA technology where available, stressing the value of additional layers of authentication to thwart malicious hackers.

Still, after a decade of evangelism and multi-millions spent on innovation, overall MFA adoption remains stagnant and the latest numbers from Twitter tell a startling story.

In a new transparency report released this month, the social media giant said that barely 2.3 percent of all its active accounts have enabled at least one method of two-factor authentication between July and December last year.   

Even worse, out of that paltry 2.3 percent of all users who opted to turn on the password-verification feature, 80 percent used the weaker SMS-based authentication, which is known to be susceptible to phishing and SIM-hijacking attacks.

Twitter acknowledged this is a significant industry-wide hiccup. “Overall 2FA adoption remains relatively low, which is an unfortunate challenge across the industry. When accounts do not enable 2FA, we are left relying on less robust mechanisms to help keep Twitter accounts secure.”

“Overall, these numbers illustrate the continued need to encourage broader adoption of 2FA, while also working to improve the ease with which accounts may use 2FA. Making 2FA methods simpler and more user friendly will help to encourage adoption and increase security on Twitter.”

Twitter hailed 2FA as “one of our strongest protections against account compromise,” noting that it helps to mitigate threats from password reuse or data theft where Twitter accounts may be part of a data dump.

Interestingly, Twitter offers several types of two-factor authentication, including the ability to use an authentication app, a hardware security key, or even the text message/SMS option that is risky but still better than nothing.

“While any form of 2FA is much more secure than not having 2FA enabled at all, some forms of 2FA are more secure than others. In general, SMS-based 2FA is the least secure due to its susceptibility to both SIM-hijacking and phishing attacks,” Twitter’s transparency report reads, even as it notes that the majority of its MFA-enabled users are using the SMS method.

[ Read: 6 Ways Attackers Can Bypass SMS 2-Factor Authentication ]

Security professionals reacted to the Twitter numbers with a mixture of alarm and exasperation.  

“Where do you want me to start?” asked one well-connected security professional who is tasked with a large-scale MFA deployment. “The user experience to set up MFA is a disaster. It’s a bigger disaster because everyone does it differently and there is no standard to anything. You can’t use lessons learned from one deployment to the next. It’s just messy.”

Andy Ellis, a seasoned security leader who now serves as operating partner at YL Ventures, acknowledges that there is friction for user-adoption that dates back to horror stories about account lockouts and lost accounts. “If there is no way to recover an account when you lose your phone, it’s just not worth it,” Ellis said. The former Akamai security chief said the absence of a paid relationship between Twitter and its users also adds to the low adoption rate.

Microsoft’s David Weston says there is a disconnect between creating a security mechanism and enabling it as an optional feature.

“Optional security always means low volume,” Weston said in a Twitter discussion, noting that technology providers need to work harder to make the process more transparent and easy for everyone. 

One additional hiccup is the reality that there is a growing number of users on most platforms that don’t actually know their passwords, due to long-lived browser sessions. As one security professional explained, two-factor authentication is only an option for people who remember their password or use a password manager. 

“When product/security teams have to roll a secret that underpins session security or make some other change that will invalidate sessions, they either need to make it backwards compatible or estimate the number of sessions that will be invalidated and the percentage [of users] that likely won't return because they don't know their passwords.”

Will Gregorian, head of security at Color Health, said industry-wide MFA adoption remains low because MFA applications and the set-up process can be filled with inconveniences and fears of being permanently locked out of accounts. “The user interface is inconsistent,” Gregorian said, noting that negative patterns are reinforced when a user enables MFA and still receives data leak notices.

The problems go deeper than bad user-experience or account lockout fears. In some cases, online providers at some financial services even roll out custom two-factor technology, bypassing industry standards and adding even more friction to the ecosystem.

Related: SIM Swapping Blamed for Hacking of Twitter CEO's Account

Related: Twitter Enables Use of Security Keys as Sole Two-Factor Authentication Method

Related: 6 Ways Attackers Can Bypass SMS 2-Factor Authentication


Related: Attackers Circumvent Two Factor Authentication Protections to Hack Reddit

view counter
Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. Ryan is a veteran cybersecurity strategist who has built security engagement programs at major global brands, including Intel Corp., Bishop Fox and GReAT. He is a co-founder of Threatpost and the global SAS conference series. Ryan's past career as a security journalist included bylines at major technology publications including Ziff Davis eWEEK, CBS Interactive's ZDNet, PCMag and PC World. Ryan is a director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world. Follow Ryan on Twitter @ryanaraine.