Offering two-factor authentication (2FA) doesn't help secure your customers if they don't opt in to the feature. 2FA helps protect users if the first factor, usually a password, is compromised. Compromise is common for easy to guess passwords and for reused passwords that are breached on another site. The most security conscious users may already have strong, unique passwords and may not need to be convinced to enable 2FA, so how do you convince the most vulnerable users to turn on additional security features?
A 2019 study on 2FA usability found that only 29% of people thought the inconvenience of 2FA was always worth the security tradeoff. "I just don’t think I have anything that people would want to take from me, so I think that’s why I haven’t been very worried about it," one participant noted.
This sentiment reflects something the security researcher Cormac Herley wrote about a decade earlier: "It is mainly time, and not money, that users risk losing when attacked. It is also time that security advice asks of them." Incentivizing users to take additional security measures is one way to offset the time investment and encourage users to place value in better account security.
How to drive adoption of 2FA
Websites are getting more savvy about how they're getting people to enable 2FA. Unless you're a company like Coinbase you probably won't make 2FA mandatory, but you have other options than just hiding it in profile settings. Things like login prompts can be effective, especially if you are persistent about the reminders.
How free emotes popularized 2FA
The idea of offering product incentives to enable 2FA was popularized by Fortnite in 2018. The incentive got a lot of attention in the media, and you can see its effects on public interest in Google search trends for 2FA:
That first spike in 2018 can be attributed to Fortnite, which publicized its incentives around the same time. Google trends for related topics and queries to 2FA still center around Fortnite and its parent company, Epic Games.
Incentives like these may be one of the reasons public awareness of 2FA has increased since 2017, according to a 2019 study by Duo Security.
Fortnite isn't the only company offering incentives though, and there are a variety of ways companies are encouraging their users to enable the security feature.
Who's offering 2FA incentives?
Cormac Herley, quoted earlier, posed the question on Twitter last month:
Can anyone think of examples of companies offering users incentives to use 2FA? Not asking about encouragement, awareness-raising, free fobs etc; thinking of discounts, enhanced service etc. Tx.— Cormac Herley (@CormacHerley) April 6, 2020
Video game companies seem to be the most common, which makes sense, since the gaming economy is large and in-game incentives are basically free to provide. World of Warcraft and Rockstar Games both offer 2FA incentives like this. Twitch, also a Twilio Authy 2FA customer, started offering similar emote incentives last month.
Platform and service companies also offer incentives in the form of billing discounts. Mailchimp offers a 10% discount for 3 months for accounts that enable 2FA. Hosting provider NIC.UA offered a 15% discount when they released 2FA in 2017.
Feature gating with 2FA
Another way to incentivize 2FA is to only unlock features to users with 2FA enabled. This is one way to enforce 2FA for higher value accounts.
For example, GitHub requires 2FA for users who want to participate in their Sponsorship program. Apple no longer allows you to disable 2FA, citing that "certain features" in recent versions require the extra level of security.
Epic Games offered another incentive last month, unlocking the gate to free games for users who turned on 2FA.
Not all consumer companies can get away with requiring 2FA, but if your users understand the risk, then it can make sense. Financial companies including banks and cryptocurrency companies may require 2FA for their users. We've also seen companies hit with bad security press mandate 2FA.
Privacy considerations for incentivizing 2FA
Every time this discussion comes up I see some version of this question: "are companies just doing this to collect your PII?"
Do they allow TOTP or is this just a ploy to collect phone numbers?— Rich Felker (@RichFelker) April 28, 2020
Please don't be that company. Separate marketing from security and be clear about how you're using user data. Offer incentives for all channels, including TOTP (no PII required) or email (which the company likely already has). Facebook already destroyed a lot of user trust when they were caught using 2FA phone numbers for ad-targeting (they stopped in 2019) and we can't risk alienating users further. Fight to protect user privacy while encouraging greater security, they are not mutually exclusive goals.
SMS based 2FA still offers better security than no 2FA, but if possible, don't force your users to use a channel they don't want to use.
Offering 2FA is no longer enough, you need to make sure your users turn it on. Short of forcing them to, you have several options to drive adoption. Consider what product incentives make sense for your business or gate certain features for 2FA-enabled accounts. At minimum remind your users that turning on 2FA is an option. How is your company incentivizing users to turn on 2FA? Let me know on Twitter or leave a message in the comments.