Various major Internet firms are currently engaged in a campaign to encourage the use of U2F/FIDO security keys (USB, NFC, and now even Bluetooth) to encourage their users to avoid use of other much more vulnerable forms of 2sv (2-factor) login authentication, especially the most common and illicitly exploitable form, SMS text messaging. In fact, Google has just introduced their own “Titan” security keys to further these efforts.
Without getting into technical details, let’s just say that these kinds of security keys essentially eliminate the vulnerabilities of other 2sv mechanisms, and given that most of these keys can support multiple services on a single physical key, you might assume that users would be snapping them up like candy.
You’d be wrong in that assumption.
I’ve spent years urging ordinary users (e.g., of Google services) to use 2sv of any kind. It’s a very, very tough slog, as I noted in:
Google Users Who Want to Use 2-Factor Protections — But Don’t Understand How: https://lauren.vortex.com/2017/06/10/google-users-who-want-to-use-2-factor-protections-but-dont-understand-how
But even beyond that category of users, there’s a far larger group of users who simply don’t see the point with “hassling” to use 2sv at all, resulting in what Google itself has publicly noted is a depressingly low percentage of users enabling 2sv protections.
Beyond logistical issues regarding 2sv that confuse many potential users, there’s a fundamental aspect of human nature involved.
Most users simply don’t believe that THEY are going to be hacked (at least, that’s their position until it actually happens to them and they come calling too late with desperate pleas for assistance).
Frankly, I don’t know of any “magic wand” solution for this dilemma. If you try to require 2sv, you’ll likely lose significant numbers of users who just can’t understand it or give up trying to make it work — bad for you and bad for them. They’re mostly not techies — they’re busy people who depend on your services, who simply do not see any reason why they should be jumping through what they perceive to be more unnecessary hoops — and this means that WE have not explained this all adequately and that OUR systems are not serving them well.
If you blame the users, you’ve already lost the argument.
Which brings us back to those security keys. Given how difficult it is to get most users to enable 2sv at all, how much harder will it be (even if the overall result is simpler and far more secure) to get users to go the security key route when they have to pay real money for the keys?
For many persons, the $20 or so typical for these keys is significant money indeed, especially when they don’t see the value of really having them in the first place (remember, they don’t expect to ever be hacked).
I strongly suspect that beyond “in the know” business/enterprise users, achieving major uptake of security keys among ordinary user populations will require that those keys be provided for free in some manner. Pricing them down to only a few dollars would help, but my gut feeling is that vast numbers of users wouldn’t pay for them at any price, perhaps often because they don’t want to set up payment methods in the first place.
That problem may be significantly reduced where users are already used to paying and have payment methods already in place — e.g. for the Android Play Store.
But even there, $20 — even $10 — is likely to be a very tough sell for a piece of hardware that most users simply don’t really believe that they need. And if they feel that this purchase is being “pushed” at them as a hard sell, the likely result will be resentment and all that follows from that.
On the other hand, if security keys were free, methodologies such as:
How to “Bribe” Our Way to Better Account Security: https://lauren.vortex.com/2018/02/11/how-to-bribe-our-way-to-better-account-security
might be combined with those free keys to dramatically increase the use of high quality 2sv by all manner of users — including techies and non-techies — which of course should be our ultimate goal in these security contexts.
Who knows? It just might work!
Be seeing you.
–Lauren–