This article looks at consumer survey and research data showing consumer preferences towards various methods of two- or multi-factor authentication and how much friction these various methods of authentication add to the login process. In short, consumers are reluctant to turn on these additional authentication steps across most industries, and many will not opt-in to the additional 15-25 seconds various authentication methods add to the login process on average.
Two Factor (2FA) or Multi-Factor Authentication (MFA) provides an additional layer of security to protect against account takeover, but it also requires an additional step on the part of the end user. Organizations struggle to find balance between maintaining account security and providing an optimal user experience with limited friction.
Consumer Preferences
Prove’s 2023 State of MFA Report surveyed 1,000 US adults on their preferences around 2FA/MFA and found that while consumers recognize the additional security it provides, they want lower-friction options and will often not opt-in to using it unless it is required.
When asked the primary reason they choose not to enable MFA when given the choice, one-third of consumers simply said because “it’s annoying.” Saying that MFA is too complicated or too slow were the next two most cited reasons, as each was indicated by 23 percent of consumers. More than one-in-five claimed the verification method is not properly delivered or caught in spam filters.
Consumers’ preferences for 2FA/MFA varies widely based on the industry or account which they may choose to protect. When given the choice, at least 60 percent of consumers would enable MFA for online banking, insurance accounts and healthcare portals. Many in these industries mandate 2FA for their users, so consumers are more accustomed to using them for these accounts, and given the sensitive data or access to funds these accounts should be protected. Although online banking is one of the industries which consumers are most likely to opt-in to using MFA, the fact that 40 percent would choose not to use it implies consumers are willing to sacrifice security, even with their finances, for the sake of convenience.
With most other types of accounts, consumers are reluctant to use MFA. The online gambling industry has the lowest opt-in rate for MFA as indicated by this survey, with 80 percent of consumers saying they would not enable it if given the choice. Surprisingly, 73 percent would choose not to enable MFA for cryptocurrency accounts, while 70 percent would opt-out of MFA for social media accounting.
Quantifying Friction and Usability Across 2FA Methods
The survey discussed above shows consumers prefer not to use MFA unless required across most industries, but is the friction MFA/2FA adds to the login process worth the risk? Obviously this is an individual decision based on differing ranges of risk adversity and apathy across consumers, but quantifying the friction or 2FA is one way this tradeoff can be examined in more detail. One of the most detailed scientific studies and research papers on the topic of 2FA/MFA was published by USINEX in 2019. This study looked at authentication times and a usability score across five different 2FA/MFA methods:
SMS (text message) based one-time verification codes
Time-based one-time password (TOTP) such as Google Authenticator
Pre-generated codes, which are intended as a backup method in case the primary 2FA method is not available or functioning
Push notifications to a smartphone which the user must approve or deny
U2F Security Keys, which require the use of a USB hardware device
This study first looked at the time it took users to complete a given 2FA method from the time the 2FA prompt was loaded to when it was verified or rejected. The methodology details note that users may have spent time preparing or obtaining their 2FA device to be ready to complete the process, which could not be accounted for. In other words, users may spend seconds to minutes retrieving a device, opening an authenticator app or other task before entering their password to login, thus enabling them to complete the 2FA step more quickly.
In terms of average time to complete 2FA, the U2F security key method had the quickest mean (13 seconds) and median (9.1 seconds) times, indicating it is the lowest friction method. Unfortunately, this method requires the user to have USB hardware, which likely means it is reserved for business users and high net worth banking or financial services customers. These are the groups most likely to be using 2FA regardless of method or friction.
Pre-generated codes have the longest mean (28 seconds) and median (17.2) durations to complete authentication, which should be expected as these are long character strings or even series of words (phase phrases, “secret seeds”) that are intended to recover accounts or only be used as a fallback form of authentication.
TOTP methods, such as Google Authenticator, are seen as more secure to SMS-based OTPs which can fall prey to SIM swap scams. TOTP authentication methods had a mean time of 23.9 seconds and median time of 15.1 seconds to complete authentication. SMS 2FA methods had a mean and median time of 18.5 and 16.6 seconds to complete authentication, respectively. Push based notifications took a mean time of 16.1 seconds and median time of 11.8 seconds to complete authentication.
Next, this study used consumer surveys to develop a System Usability Score (SUS) across these five 2FA methods. This specifically focused on consumers using these various methods for online banking, meaning the stakes are higher and the users are more likely to use, if not prefer, enabling 2FA.
This SUS metric was additionally applied to the first factor of authentication, a simple password, for comparison. While passwords had a median SUS of 95 (on a scale of up to 100), most 2FA methods scored in the 75 to 80 range. TOTP services had the highest median SUS amongst 2FA methods at 88.8. Push and SMS based 2FA methods had a median SUS of 81.3 and 75. U2F also had a median SUS of 75.
While the SUS metric was measured to understand the usability at each authentication event, this study also considered the friction and time it takes to set up various 2FA methods for the first time. TOTP takes the longest time to set up, with a mean time of 109.6 seconds – nearly two minutes. The U2F method is the second longest to set up with a mean time of nearly one minute (57.8 seconds). Push based 2FA is the quickest setup followed by SMS at 27.3 and 34.5 seconds, respectively.
Conclusion
Most reading this article are security conscious and would opt-in to 2FA across many types of accounts. While it may be difficult to understand why 40 percent of consumers would not enable 2FA for online banking, quantifying the friction various 2FA methods add to a login process is an important consideration. Account security seems to be more of a priority to organizations than to their customers in most industries. Organizations need to consider the additional steps and friction 2FA brings to the login experience. Different industries will have users with different expectations about whether 2FA is just an option or required, and consumers will have differing preferences towards various 2FA methods independent of the data quantifying friction above.
Account security, authentication and how consumers login to services are constantly evolving, but here are two things we know: Passwords alone are not very secure, and consumers tend to resist 2FA when given the choice. This makes finding the balance between maintaining account security and an optimal user experience difficult.
For more information:
Comments