Duo: Most 2FA Users Find Security Keys Convenient To Use

A recent study done by Duo Security, the company behind the Duo two-factor authentication (2FA) application as well as other security solutions, revealed that only 28% of people in the United States use 2FA. However, among those who do use 2FA, security keys are the most convenient, followed closely by push notifications (such as Duo Push or the Google Prompt) and authenticator apps.

Duo’s Findings

Duo’s study had several major findings. One was that less than a third (28%) of online American users enable 2FA for their accounts. This number was lower than what Duo expected.

Another discovery was that more than half (54%) use two-factor authentication voluntarily, while the rest have do it at work or are incentivized to enable it for some other reason. Almost half (45%) of the participants said they use 2FA on all the services that offer it.

Two-thirds of those who had enabled security keys and push notifications as an authentication method found them convenient to use, while 75% also found security keys to be "user-friendly." Only 1.8% of the participants said they had used 2FA in the past but no longer use it because they found it inconvenient to use.

Of the total participants, 86% used SMS authentication, not in small part because this is often either the only 2FA solution most services offer or at least the default one. Only 9% used physical security keys, but that was still a higher number than Duo expected.

The National Institute of Standards and Technology (NIST) has deprecated SMS 2FA because it found that it is too easy for attackers to intercept the authentication codes.

The Importance Of Two-Factor Authentication

Ideally, 2FA wouldn’t be needed because our login passwords to various services should suffice, assuming those companies use best practices to encrypt them. This would ensure that attackers can’t decrypt them, especially if the passwords you use aren’t easy to brute-force through a dictionary attack.

However, in the real world, we’ve seen that many companies either don’t encrypt passwords at all or do so poorly, leaving account credentials vulnerable to malicious hackers. This is what makes 2FA almost mandatory, at least for online accounts where you keep important data. If attackers retrieve your password, they won’t be able to login to your account unless they also have your 2FA code.

There are various 2FA methods, but the most secure, and according to Duo’s study, the one most people find the easiest to use, is a Universal 2nd Factor (U2F) security key.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • WyomingKnott
    Brilliant. A convenient, widely-used two-factor authentication device. Two negative comments:
    1) It's a great solution, but I have an unproven prejudice that challenge-response is safer than synchronized key generation.

    2) You really, really have to trust them. Just the idea of attaching an automatic keyboard to my machine brings up images of it ordering ten thousand pairs of sneakers on Amazon or something. And unless I missed something, since they hold the symmetric key and your unique id, someone with access to that data could impersonate your device. They'd still need your password for the resource in question, but a device attached as a keyboard smells like a good place to put a keylogger, a la MantisTek GK2: http://www.tomshardware.com/news/mantistek-gk2-collects-typed-keys,35850.html

    Then again, I'm paranoid. I kept my passwords in a password safe on a Palm Pilot until I broke the thing earlier this year. No internet connection. No way for someone to access the data remotely. Plus Elder Geek cred for carrying a Palm Pilot.
    Reply
  • merlinq
    20352503 said:
    Brilliant. A convenient, widely-used two-factor authentication device.

    In response to both 1 and 2:
    FIDO U2F is a challenge-response system.
    And no, the service you connect to does not have a symmetric key, it is based on asymmetric public-private key cryptography, the only record of the private key is held by you, on your YubiKey.
    Every service gets it's own key pair, so no 2 services have any knowledge of even the existence of another service, and the key pair is the only identifying feature, the service has no way of knowing whether you are using a particular key, or multiple keys.
    The Yubikey is programmable, so you can control almost every aspect of it, including what services it has.

    In terms of trust, YubiCo is one of the largest, and longest lived companies in the physical second-factor business, and is a big pusher for open-source security solutions.

    I am speaking, of course, of the physical keys pictured, which their study named as being the most secure, as well as most convenient 2FA system, not about the duo push, or sms based systems, both are, imho, woefully insecure systems.

    I too, am highly paranoid, and use a non-internet capable device for important password storage (though I do use the more convenient keepass for low-security passwords such as forums, that I use often. I have also been using YubiKeys as my 2FA system since before they helped design FIDO U2F, since I was introduced to them in the cryptocurrency world.
    Reply
  • Olle P
    Don't they mean three factor authentication?
    I've allready experienced one factor (password only), which was inherently bad since it required the password to be unique.
    Two factors (password and user name) is the norm and works fairly well.
    Adding a third factor may improve security but often come in the form of inconveniance.
    Reply
  • austintx1985
    20359226 said:
    Adding a third factor may improve security but often come in the form of inconveniance.

    I gladly accept the inconvenience for the peace of mind that not only does someone need to find my usename (not hard) and crack my password (a bit more difficult), but also need to somehow get a OTP from my Yubikey to get into my accounts. I just wish more sites/companies would offer support for OTP.

    Reply
  • WyomingKnott
    20353737 said:
    In response to both 1 and 2:
    FIDO U2F is a challenge-response system.
    And no, the service you connect to does not have a symmetric key, it is based on asymmetric public-private key cryptography, the only record of the private key is held by you, on your YubiKey.

    Ahh. I'll look for the misinformation I read yesterday, which describes the fields of the token generated before it is encrypted. If I recall correctly, this consisted of the user's id, two different sequence fields, amount of time they key had been plugged into the current system, and nothing from a challenge. It also stated that a shared key was used by the device and the service. If I find it again I'll post a link and look to see why this is the wrong information.

    EDIT: Maybe you can help me. I was reading documentation on an exactly 44-byte long encrypted message sent by the client. Does that ring a bell?
    Reply
  • merlinq
    20359745 said:
    It also stated that a shared key was used by the device and the service. If I find it again I'll post a link and look to see why this is the wrong information.

    The only thing i can think of in U2F that could be considered a shared key (other than the public key generated for the site/service) would be the key handle also generated during initial device registration with the site/service.
    It is used by the service as part of the data sent to the U2F device as the challenge, and could sort of be thought of as a "username" the device uses for that account, to allow unlimited accounts to be used on a single device, without having to use expensive (and potentially insecure) storage on the device.
    This key handle, like the public key, is unique for each account, and is not able to be used to identify a particular physical device.

    A short overview of privacy considerations follows; taken from section 12 of the FIDO U2F ARCHITECTURAL OVERVIEW ( a suggested read, available here: https://fidoalliance.org/download/ , along with the complete specifications, if you want to get deeper into it) :

    As the reader would have noticed, user privacy is a fundamental design consideration for the U2F protocol. The various privacy related design points are reiterated here:
    ■ A U2F device does not have a global identifier visible across online services or websites.
    ■ A U2F device does not have a global identifier within a particular online service or website
    Example 1: If a person loses their U2F device, the finder cannot 'point it at a website' to see if some accounts get listed. The device simply does not know.
    Example 2: If person A and B share a U2F device and they have each registered their accounts on site X with this device, there isn't any way for the site X to guess that the two accounts share a device based on the U2F protocol alone.
    ■ A key issued to a particular online service or website can only be exercised by that online service or website.
    Since a key is essentially a strong identifier this means U2F does not give any signal which allows online services or websites to strongly cross-identify shared users.
    ■ A user has to activate the U2F device (i.e., 'press the button') before it will issue a key pair (for registration) or sign a challenge.
    ■ The browser may notify the user before they form a U2F relationship with an online service or website
    An infobar could appear whenever the 'issue a key' javascript call is made.
    An infobar (with a once-only option) could appear when the 'sign with this key' javascript call is made for a particular originThe infobar approach puts a decision burden on the users - this is a downside and the infobar UX design has to be done with care.
    Reply