We’re losing the account security war. Despite the increased availability of 2-step verification (2sv) systems — also called 2-factor and multiple-factor verification/authentication — most people don’t use them. As a result, conventional phishing techniques continue to be largely effective at stealing user account credentials, ruining many lives in the process.
As I’ve discussed previously, part of the reason for this low uptake of 2sv relates to the design of the systems themselves — they frankly remain too complicated in terms of “hassle level” for most users to be willing to bother with.
They don’t really understand them, even when many options are provided. They’re afraid they’ll screw up and get locked out of their accounts. They don’t want to hand over their phone numbers. They don’t trust where the verification phone calls are coming from when they see them on Caller ID — sometimes even reporting those calls as spam on public websites! They don’t know how to use 2sv with third-party apps. Often they tried to use 2sv, got confused, and gave up. It goes on and on. We’ve discussed this all before.
And to be sure, many 2sv implementations simply suck. Frequently they’re badly designed, break down easily, are a pain in the ass to use, and sometimes do lock you out.
Even for Google, which has one of the best 2sv systems that I know of (see their 2sv setup site at: https://www.google.com/landing/2step), user acceptance of 2sv is dismal — Google reports that fewer than 1 in 10 Gmail users have 2sv enabled.
And so the phishing continues. Recently there have been reports of new Russian hacking attacks against Defense Department users’ Gmail accounts (mostly their personal accounts, but that’s bad enough given the leverage that personal info found in such accounts might provide to adversaries).
In corporate environments it’s possible to require use of 2sv. But outside of those environments, this is a very tricky proposition. I’ve noted the theoretical desirability of requiring 2sv for everyone — but I also acknowledge that as a practical matter, given current systems and sensibilities, this is almost certainly a non-starter for now.
Too many users would object, and unlike some government entities (e.g. the Social Security Administration and IRS) that now require 2sv to access their sites and always offer alternative offline mechanisms (e.g., phone, conventional mail) for dealing with them, any major Web firm that tried to require 2sv would be likely to find itself at a competitive disadvantage in short order.
But there’s an even more fundamental problem. Most users simply don’t believe that they’re ever going to hacked. It always “happens to somebody else” — not to me! Using 2sv just feels like too much hassle for most people under such conditions, though after they or someone close to them have been hacked, they frequently change their tune on this quite quickly — but by then the damage is done.
It’s time to face the facts. Trying to “scare” users into adopting 2sv has been an utter failure.
Maybe we need to consider another approach — the carrot rather than the stick.
What can we do to make 2sv usage desirable, cool, even fun?
In other words, if we can’t successfully convince users to enable 2sv based on their own security self-interests, even in the face of nightmarish hacking stories, perhaps we can “bribe” them into the pantheon of 2sv.
There are precedents for this kind of approach.
For example, Google in the past has offered a bonus of additional free disk space allocations for users who completed specified security checkups.
Could we convince users to enable 2sv (and keep it enabled for at least reasonable periods of time) through similar incentives?
How about a buck or two of Play Store or other app store credits?
Can we make this more of a game, a kind of contest? Why not provide users with incentives not only to enable 2sv themselves, but to help convince other users to do so?
Obviously the devil is in the details, and any such incentive programs, rewards, or account bonuses would need to be carefully designed to avoid abuse.
But I increasingly believe that we need to explore new account security paradigms, especially when it comes to convincing users to enable 2sv.
The status quo is utterly unacceptable. If “bribing” users to enable better security on their accounts could make a positive difference, then let’s bring on the bribes!