« February 2015 | Main | April 2015 »

March 2015

Tuesday, 03 March 2015

Who's using 2-step verification and where?

I posted a survey, Are you using 2-step verification, on 27 January 2015.  A summary of the results of 282 responses submitted through 28 February is now available. 

You're all experts

Howtechnical
The overwhelming majority of individuals who saw the announcement and responded to the survey consider themselves familiar with 2-step verification and more technical than the average user. Given my social media communities of interest, this is not surprising, but the sample is biased.

Familiarw2stepThe population sampled is (or perceive themselves to be) above average technically. They are well informed regarding 2-step verification. How does this effect the findings? The breadth of usage and percents of adoption are possibly higher among the sampled population than a more general population sampling.  

Where do you use 2-step verification?

The highest percentage of 2-step verification use among the sample population is for Google services (60%).  The nearest social media or messaging service where 2-step verification is popular is Facebook at thirty-four percent (34%). Twitter and Apple ID follow with twenty-seven percent (27%).With further data, it might be possible to claim that the difference in 2-step verification adoption between Google and Facebook indicates that the sampled population values email, document processing, and the litany of Google services they use over other social media or services portfolios, and uses 2-step verification to protect these against unauthorized access. Alternatively, it could be a related to the nature of the data the sample population shares or stores through these other mediums (in a word, it's not just "social" data). Understanding "why" is an interesting candidate for future surveys.

Where2step

Online banking, financial services and brokerage use is second at fifty-one percent (51%). I look at other responses associated with online banking later in this post. Use of 2-step verification for cloud storage is thirty percent (30%). I am surprised at the very low 2-step verification use for eBay. Perhaps this is related to use of hardware tokens rather than SMS. This is different from 2-step verification and a technical user might have considered this distinction. I unfortunately omitted Paypal through error. A future survey should correct this oversight.  

Motivation

What motivates the sampled population to use 2-step verification? Seventy percent  (70%) of responders indicated that they use 2-step where they can because they do not trust passwords, whereas twenty-three percent (23%) are OK with using passwords without 2-step. It's tempting to look at 70% as low for a technically savvy population, but I'm hesitant to include this as a finding. The survey did not ask responders to describe the circumstances where responders are "OK" with passwords. One possible reason that responders may be "OK" to use only passwords for accounts is that they do not value highly (e.g., a "throw away" registration account you create solely to obtain a report). It is also possible that responders may have conceded to use passwords where password-based authentication is the only option available. Technical users are typically better informed about risk, cost, and benefit: they may knowingly accept a risk of password compromise for a given account.

The survey does ask responders to identify services they use without 2-step verification: 

Without2step

Banksw2step

Sixty-one percent (61%) of technically astute and informed users choose or concede to use passwords for the convenience or usefulness of online banking. Nearly that percent (57%) use social media or blogging platforms without 2-step verification. These findings must be tempered, however, with the extent to which 2-step verification is available (on the right), which illustrates several findings, but most significantly, that technically astute and informed users appear to use 2-step verification for online banking when it is available.

Inconvenience factor

Only twenty-four percent (24%) of the sampled population find 2-step inconvenient.  This is surprising: instant gratification or convenience are such strong influencers in online or mobile activities so I had anticipated a higher percentage. It would be interesting to see whether the tolerance for 2-step verification would be the same for a general population sampling. 

Conclusions 

This survey was essentially an initial probe. The bias in the sample makes it difficult to draw any finding except the following: individuals who claim to be more technical and informed than the average user are also familiar with the security threat password-based authentication poses and are more inclined to make use of 2-step verification when it is available. This is particularly true for online banking services. There is also a preference among this population to use 2-step verification elsewhere.  Based on this finding, it seems appropriate to conclude that broader availability of 2-step verification, combined with awareness raising, may accelerate adoption of 2-step verification and reduce the exposure of users to attacks that are successful when passwords are the only authentication method present

Future Activity

I intend to keep the survey open and I'm eager to find other means to broaden the sample so that is not so overloaded with experts☺

If you have ideas, please start a conversation with me on Twitter (@securityskeptic) or feel free to Tweet or use other social media or mail to share the like to my post and survey at  bit.ly/18oBtwZ.

Please contact me by email or Twitter DM if you want the raw data and I'll return a link.

 

Posted at 09:01 AM in All matters security | | Comments (0)

« Previous
Find me on Mastodon and Facebook

Spotlight Posts

  • Interisle Study Reveals Alarming Rise in Online Abuse and Identifies Exploitable Links in Cybercriminal Supply Chains
    My Interisle colleagues and I today published our 2024 Cybercrime Suppy Chain study. We analyzed 16 million cybercrime events to expose a dramatic rise in criminal exploitation of name, address, hosting, and financial supply chains. Our year-over-year findings show that cybercriminals exploit lax policies to easily and cheaply obtain resources for phishing, malware, and spam campaigns. In our report, we provide actionable insights for those aiming to curb cybercrime. Among the major findings in the study, Interisle reports that: The total number of malware, phishing, and spam attacks grew year-over-year by nearly 54%, to nearly 16.3 million attacks. Spam doubled,...
  • Malware quarterly reports for July-September
    Malware quarterly reports for July-September 2024 is now posted at the Cybercrime Information Center. For the period... Malware identified as targeting endpoint devices increased 277% over the prior period. WordPress blog sites used for malware accounted for nearly all the malicious documents reported for this period. We continue to see an uptick in malicious scripts. IPv4 addresses reported for exhibiting characteristics of attackware and traffic injectors increased 38% to just under 1 million. ASNs in China and India again have the most IPv4 addresses reported for hosting malware. More malware trends for the period at https://www.cybercrimeinfocenter.org/malware-trends-july-september-2024. For historical reporting of...
  • Interisle's Phishing Landscape 2024 is here
    Our Interisle team today announced the publication of an industry report, Phishing Landscape 2024, A Study of the Scope and Distribution of Phishing. Interisle’s fourth annual study examines nearly four million phishing reports collected from May 2023 to April 2024 and provides historical measurements using over 15 million phishing reports collected at the Cybercrime Information Center over a four year period. Findings from the study: • The total number of phishing attacks grew to ~1.9 million incidents worldwide. • Phishing attacks hosted at subdomain providers increased by 450,000+ reported names, representing 24% of all phishing attacks. • The use of...
  • Malware Trends, January - March, 2024 posted at the Cybercrime Information Center
    2024 began with a rise in domain names reported for hosting malware unlike any we have seen since we began measuring malware attacks in 2021. The 1Q2024 Top 20 TLDs included 10 new gTLDs, 6 ccTLDs, and 4 legacy gTLDs. Only three TLDs remained in the top 5 TLDs (COM, NET, INFO) from the prior quarter. The ORG and BR TLDs were replaced by SHOP (over 3,000% increase) and TOP (over 700% increase). All but one registrar in 1Q2024’s Top 20 registrar ranking showed increases of 100% or more. Several registrars had 4- and 5-figure percentage increases in domains reported....
  • Malware Trends, January - March, 2024 posted at the Cybercrime Information Center
    2024 began with a rise in domain names reported for hosting malware unlike any we have seen since we began measuring malware attacks in 2021. The 1Q2024 Top 20 TLDs included 10 new gTLDs, 6 ccTLDs, and 4 legacy gTLDs. Only three TLDs remained in the top 5 TLDs (COM, NET, INFO) from the prior quarter. The ORG and BR TLDs were replaced by SHOP (over 3,000% increase) and TOP (over 700% increase). All but one registrar in 1Q2024’s Top 20 registrar ranking showed increases of 100% or more. Several registrars had 4- and 5-figure percentage increases in domains reported....

Search

My Photo

Categories