Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

Why Are Users Ignoring Multi-Factor Authentication?

Two-Factor Authentication

Two-Factor Authentication

News Analysis: Twitter reports that two-factor adoption remains startling low, prompting exasperation and frustration among cybersecurity professionals.

Cybersecurity experts can be a crabby bunch. The debates and arguments last for decades (responsible disclosure, anyone?) and it’s rare to find consensus from all stakeholders on the best risk mitigation decisions.

There’s one very noticeable exception: Multi-factor authentication (MFA) is universally hailed as a leapfrog security measure that drastically reduces online threats like identity theft and online fraud. Security experts routinely recommend that users implement MFA technology where available, stressing the value of additional layers of authentication to thwart malicious hackers.

Still, after a decade of evangelism and multi-millions spent on innovation, overall MFA adoption remains stagnant and the latest numbers from Twitter tell a startling story.

In a new transparency report released this month, the social media giant said that barely 2.3 percent of all its active accounts have enabled at least one method of two-factor authentication between July and December last year.   

Even worse, out of that paltry 2.3 percent of all users who opted to turn on the password-verification feature, 80 percent used the weaker SMS-based authentication, which is known to be susceptible to phishing and SIM-hijacking attacks.

Twitter acknowledged this is a significant industry-wide hiccup. “Overall 2FA adoption remains relatively low, which is an unfortunate challenge across the industry. When accounts do not enable 2FA, we are left relying on less robust mechanisms to help keep Twitter accounts secure.”

“Overall, these numbers illustrate the continued need to encourage broader adoption of 2FA, while also working to improve the ease with which accounts may use 2FA. Making 2FA methods simpler and more user friendly will help to encourage adoption and increase security on Twitter.”

Advertisement. Scroll to continue reading.

Twitter hailed 2FA as “one of our strongest protections against account compromise,” noting that it helps to mitigate threats from password reuse or data theft where Twitter accounts may be part of a data dump.

Interestingly, Twitter offers several types of two-factor authentication, including the ability to use an authentication app, a hardware security key, or even the text message/SMS option that is risky but still better than nothing.

“While any form of 2FA is much more secure than not having 2FA enabled at all, some forms of 2FA are more secure than others. In general, SMS-based 2FA is the least secure due to its susceptibility to both SIM-hijacking and phishing attacks,” Twitter’s transparency report reads, even as it notes that the majority of its MFA-enabled users are using the SMS method.

[ Read: 6 Ways Attackers Can Bypass SMS 2-Factor Authentication ]

Security professionals reacted to the Twitter numbers with a mixture of alarm and exasperation.  

“Where do you want me to start?” asked one well-connected security professional who is tasked with a large-scale MFA deployment. “The user experience to set up MFA is a disaster. It’s a bigger disaster because everyone does it differently and there is no standard to anything. You can’t use lessons learned from one deployment to the next. It’s just messy.”

Andy Ellis, a seasoned security leader who now serves as operating partner at YL Ventures, acknowledges that there is friction for user-adoption that dates back to horror stories about account lockouts and lost accounts. “If there is no way to recover an account when you lose your phone, it’s just not worth it,” Ellis said. The former Akamai security chief said the absence of a paid relationship between Twitter and its users also adds to the low adoption rate.

Microsoft’s David Weston says there is a disconnect between creating a security mechanism and enabling it as an optional feature.

“Optional security always means low volume,” Weston said in a Twitter discussion, noting that technology providers need to work harder to make the process more transparent and easy for everyone. 

One additional hiccup is the reality that there is a growing number of users on most platforms that don’t actually know their passwords, due to long-lived browser sessions. As one security professional explained, two-factor authentication is only an option for people who remember their password or use a password manager. 

“When product/security teams have to roll a secret that underpins session security or make some other change that will invalidate sessions, they either need to make it backwards compatible or estimate the number of sessions that will be invalidated and the percentage [of users] that likely won’t return because they don’t know their passwords.”

Will Gregorian, head of security at Color Health, said industry-wide MFA adoption remains low because MFA applications and the set-up process can be filled with inconveniences and fears of being permanently locked out of accounts. “The user interface is inconsistent,” Gregorian said, noting that negative patterns are reinforced when a user enables MFA and still receives data leak notices.

The problems go deeper than bad user-experience or account lockout fears. In some cases, online providers at some financial services even roll out custom two-factor technology, bypassing industry standards and adding even more friction to the ecosystem.

Related: SIM Swapping Blamed for Hacking of Twitter CEO’s Account

Related: Twitter Enables Use of Security Keys as Sole Two-Factor Authentication Method

Related: 6 Ways Attackers Can Bypass SMS 2-Factor Authentication

 


Related: Attackers Circumvent Two Factor Authentication Protections to Hack Reddit

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Funding/M&A

The private equity firm merges the newly acquired ForgeRock with Ping Identity, combining two of the biggest names in enterprise IAM market.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...