I posted a survey, Are you using 2-step verification, on 27 January 2015. A summary of the results of 282 responses submitted through 28 February is now available.
You're all experts
The overwhelming majority of individuals who saw the announcement and responded to the survey consider themselves familiar with 2-step verification and more technical than the average user. Given my social media communities of interest, this is not surprising, but the sample is biased.
The population sampled is (or perceive themselves to be) above average technically. They are well informed regarding 2-step verification. How does this effect the findings? The breadth of usage and percents of adoption are possibly higher among the sampled population than a more general population sampling.
Where do you use 2-step verification?
The highest percentage of 2-step verification use among the sample population is for Google services (60%). The nearest social media or messaging service where 2-step verification is popular is Facebook at thirty-four percent (34%). Twitter and Apple ID follow with twenty-seven percent (27%).With further data, it might be possible to claim that the difference in 2-step verification adoption between Google and Facebook indicates that the sampled population values email, document processing, and the litany of Google services they use over other social media or services portfolios, and uses 2-step verification to protect these against unauthorized access. Alternatively, it could be a related to the nature of the data the sample population shares or stores through these other mediums (in a word, it's not just "social" data). Understanding "why" is an interesting candidate for future surveys.
Online banking, financial services and brokerage use is second at fifty-one percent (51%). I look at other responses associated with online banking later in this post. Use of 2-step verification for cloud storage is thirty percent (30%). I am surprised at the very low 2-step verification use for eBay. Perhaps this is related to use of hardware tokens rather than SMS. This is different from 2-step verification and a technical user might have considered this distinction. I unfortunately omitted Paypal through error. A future survey should correct this oversight.
What motivates the sampled population to use 2-step verification? Seventy percent (70%) of responders indicated that they use 2-step where they can because they do not trust passwords, whereas twenty-three percent (23%) are OK with using passwords without 2-step. It's tempting to look at 70% as low for a technically savvy population, but I'm hesitant to include this as a finding. The survey did not ask responders to describe the circumstances where responders are "OK" with passwords. One possible reason that responders may be "OK" to use only passwords for accounts is that they do not value highly (e.g., a "throw away" registration account you create solely to obtain a report). It is also possible that responders may have conceded to use passwords where password-based authentication is the only option available. Technical users are typically better informed about risk, cost, and benefit: they may knowingly accept a risk of password compromise for a given account.
The survey does ask responders to identify services they use without 2-step verification:
Sixty-one percent (61%) of technically astute and informed users choose or concede to use passwords for the convenience or usefulness of online banking. Nearly that percent (57%) use social media or blogging platforms without 2-step verification. These findings must be tempered, however, with the extent to which 2-step verification is available (on the right), which illustrates several findings, but most significantly, that technically astute and informed users appear to use 2-step verification for online banking when it is available.
Only twenty-four percent (24%) of the sampled population find 2-step inconvenient. This is surprising: instant gratification or convenience are such strong influencers in online or mobile activities so I had anticipated a higher percentage. It would be interesting to see whether the tolerance for 2-step verification would be the same for a general population sampling.
This survey was essentially an initial probe. The bias in the sample makes it difficult to draw any finding except the following: individuals who claim to be more technical and informed than the average user are also familiar with the security threat password-based authentication poses and are more inclined to make use of 2-step verification when it is available. This is particularly true for online banking services. There is also a preference among this population to use 2-step verification elsewhere. Based on this finding, it seems appropriate to conclude that broader availability of 2-step verification, combined with awareness raising, may accelerate adoption of 2-step verification and reduce the exposure of users to attacks that are successful when passwords are the only authentication method present.
I intend to keep the survey open and I'm eager to find other means to broaden the sample so that is not so overloaded with experts☺
If you have ideas, please start a conversation with me on Twitter (@securityskeptic) or feel free to Tweet or use other social media or mail to share the like to my post and survey at bit.ly/18oBtwZ.
Please contact me by email or Twitter DM if you want the raw data and I'll return a link.