How to make people sit up and use 2-factor auth: Show 'em a vid reusing a toothbrush to scrub a toilet – then compare it to password reuse

Education, education, education is key to security

RSA Despite multi-factor authentication being on hand to protect online accounts and other logins from hijackings by miscreants for more than a decade now, people still aren't using it. Today, a pair of academics revealed potential reasons why there is limited uptake.

Spoiler alert: it's because, apparently, there isn't enough focus on clearly explaining the actual need for this extra layer of account security.

In a presentation at this year's RSA Conference, taking place in San Francisco this week, Dr L Jean Camp, a professor at Indiana University Bloomington in the US, and her doctoral candidate Sanchari Das, detailed their research into why people aren't using Yubico security keys or Google’s hardware tokens for multi-factor authentication (MFA).

For those who don't know: typically, you use these gadgets to provide an extra layer of security when logging into systems. You enter your username and password as usual, then plug the USB-based key into your computer and tap a button to activate it. The thing you're trying to log into checks the username and password are correct, and that the physical key is valid and tied to your account, before letting you in.

That means a crook has to know your username and password, and have your physical key to log in as you. We highly recommend you investigate activating MFA on your online accounts, particularly important ones such as your webmail.


What the pair found during their research work derails any previous assumptions that the lack of MFA uptake is because people are stupid, or can't use the technology. What it comes down to is education and communicating risk.

The duo carried out a two-phase test, where users were told about the technology and shown instructions on how to use it. Feedback from this phase, which revealed where folks were getting stuck in the process of MFA enrollment, was passed along to manufacturers of the security keys, who, we're told, changed their instructions and prioritized ease-of-use as a result. However, it still wasn't enough.

“Even after the [training] sessions, they still didn't use it,” Dr Camp said. “It wasn’t cost, because they got the hardware for free, and it wasn’t usability, because we changed the instructions to make those easier. In the end, risk communication was key.”

When 2FA means sweet FA privacy: Facebook admits it slurps mobe numbers for more than just profile security


Actually getting this message across needs a variety of techniques. Millennials, they noted, were much less concerned with the loss of personal information, with many saying they put all that info online in public anyway. But show how their bank accounts could get pillaged, and they sat up and paid attention.

The most effective way to get the security message across appears to be video. Dr Camp said that a video showing how reusing a password is like reusing a toothbrush to clean a toilet got the message across more effectively than a print warning. Not only should you not be doing it, but also, password security matters, and MFA is part of that. Single-factor, password-only security is flimsy and weak, compared to MFA protections.

That said, longer videos work best for older folks, while shorter videos were better at convincing da yoof.

There are also privacy fears. Das noted that biometric two-factor systems – think fingerprints and face scans – were the most popular with users by a long chalk. But its adoption has been hurt by concerns that, if data like an iris print is stolen, you can’t change your eyes.

With less than 10 per cent of Gmail users logging in with two-step authentication, last time we checked, there’s clearly a long way to go. But with a little more encouragement, adoption rates can be increased, the two academics concluded. ®

Send us news

Researcher claims Harvard nixed social media research after getting Zuck bucks

University says ties to Meta execs and a $500 million donation played no role

Duke Uni libraries decamp from 37Signals' Basecamp over CTO's blogs

We're canceling our subscriptions, say librarians citing co-founder's views

Ex-school IT admin binned student, staff accounts and trashed phone system

After getting the tintack, IRL BOFH went rogue

Zuckerberg accused of OK'ing Insta plastic surgery filters despite fears of harm to kids

'Meta knows what it is doing is bad for children ... it is now there in black and white'

No more staff budget for UK civil service, but worry not – here's an incubator for AI

Today's story was brought to you by the words politician and silly

Pope tempted by Python! Signs off on coding scheme for kids

In the name of the firewall, the server, and the home page default, amen

Microsoft creates a new kind of credential: the 'Applied Skill'

Shorter and more specific than certifications, but still tied to Microsoft products. Would you do one?

Cyber-extortionists pillage Colorado education dept

Hey, breacher, leave those kids alone

4 in 5 Chromebooks sold to US students in Q2 as demand rises

Education buyers ignore campaign group's intense criticism of device's lifespan, 'expect expiration dates for milk, not tech'

Big Tech offers free training courses on India's new digital skills platform

Mobile-first service aims to bring e-learning to the masses, covering tech and plenty more

IBM kills its Education Cloud after just two-and-a-bit years

Boffins given five months to migrate, with vanilla DaaS suggested as the alternative

This profiler chatbot promises to help speed up your Python – we can believe it

Scalene, Scalene, Scalene, Scalene, I'm beggin' of you please improve my code