Even many tech-savvy people are failing to take advantage of the opportunity to use two-factor authentication for websites and apps, found an Indiana University study …
CNET reports that too many believe that strong passwords are enough.
Indiana University Professor L. Jean Camp and Sanchari Das, a doctoral student at Indiana University Bloomington, conducted a study of 500 people to find out why the simple security measure isn’t popular, despite its benefits and ease.
For their research, they purposely sought out tech-savvy students on campus to make sure the result wasn’t affected by people who just didn’t understand what two-factor authentication is. They wanted participants who had more security and computer expertise than the average person.
What they found was that while these students understood technology, they didn’t understand why they needed to take this cybersecurity precaution.
“There was a tremendous sense of confidence,” Camp said. “We got a lot of, ‘My password is great. My password is plenty long enough.’”
A survey late last year found that more than half of Americans had never heard of 2FA, and fewer than one-third were using it.
A secondary issue Professor Camp raised is vulnerabilities in SMS-based 2FA.
It’s not as safe as using a physical security key for two-factor authentication, because text messages can still be intercepted, like what happened with Reddit on Aug. 1.
“We learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept,” Christopher Slowe, Reddit’s chief technology officer, said in a post.
Indeed, more than two years ago the US National Institute for Standards and Technology, which sets the standards for authentication software, says that the use of text messaging for two-factor authentication will in future be barred.
Apple makes it particularly easy to use 2FA for Apple ID login: you can have a code sent to any of your trusted devices. If you don’t already have this set up, we strongly advise doing so.