This post considers the perception clash that exists between what users perceive to be their most valuable accounts (email and social networks) and those they think they should protect the most (online banking). This perception disconnect is potentially harmful, as it may lead users to invest their limited willingness to secure accounts into the wrong type of accounts. Long term, this disconnect may also hinder the progression of standardized two-factor technologies, since most online banking services currently rely on proprietary two factor systems.

Understanding user perception when it comes to account value and security is a vast and complex topic that requires in-depth research. To get the ball rolling, this post analyzes the results of two consumers surveys I ran in the past few months and provide initial answers to the following three key questions:

Before answering these questions, let’s first briefly look at what is the current state of two-factor authentication so it is clear why a clash of perception is potentially no only harmful for users but also for the long term health of the whole account security ecosystem. I wrote an extensive analysis of the current state of two-factor authentication if you are interested in digging deeper in the current state of affair.

The cost of increasing online account security

usb-security-keys

Increasing online account security by adding a second factor comes with increased friction and higher costs. For example, using an SMS message or an OTP (one-time password) as the second factor requires you to check your phone before you can log in. On the hardware token side, security keys are still quite expensive (>$10) and not yet widely adopted. As a result, it is not surprising that users are wary of jumping through the hoops and end up hardly using two-factor authentication. As proof of this reluctance, as of early 2018, less than 10% of active Gmail users used a second factor, as Grzegorz revealed in his Enigma presentation about our joint research on the causes of account compromises.

Second factor: a house divided

two-factor-adoption-rate

In an ideal world, in particular for hardware token, one might hope that the cost of adding a standardized second factor would be amortized as it will be use to secure all online accounts. However as of 2019, this is just wishful thinking, as the adoption rate of standards across the industry is pretty bleak - only 11% of the hardware tokens follow the U2F/FIDO standard and only 26.8% of the software tokens use the HOTP/TOTP one as visible in the chart above.

standard-adoption

This lack of standardization is particularly acute for banks and utility services, as illustrated in the chart above, as none of them currently support either the TOTP/HOTP standards for software tokens or the U2F/security key standard for hardware tokens.

Optics is everything

Until we are able to make second-factor standards ubiquitous, we are stuck in a zero-sum game world where online services that use custom solutions compete with standard solutions for user security willingness budget. In this divided world, ensuring that online account security is on the right trajectory requires to understand the user optics on the matter and ensuring that as a tech community we focus on dispelling any potential misunderstandings.

As a starting point, the remainder of this post focuses on measuring user optics and highlighting the disconnect that currently exists between which accounts users deem most important and those they think they should protect. Sadly—spoiler alert!—as we will see, there is a serious disconnect between what users deem important and what they think they should protect.

A long-term benefit of helping users focus on protecting the accounts that matter the most to them is that —spoiler alert!—it also will help push toward a standardized world, as most of the services that offer what users consider their most valuable accounts already use second-factor standards.

Which online accounts should be the most secure?

Before delving into survey results, let’s start by discussing which types of account users should rationally secure first, based on the impact of the account being hacked on user life. This will serve as a baseline as we delve into what users perceive to be the most valuable accounts in the next section.

Email accounts

Overall, email accounts are the most valuable online accounts as they are used to exchange sensitive information with banks, health services, and various online service providers. In addition, they are also often used as the recovery mechanism for other online accounts, so if an email account is compromised, other accounts can fall like dominos.

isanyoneup

Here are a few dramatic examples that emphasize how vital it is to keep email accounts secure:

Fappening-goin g-viral

Email accounts are nowadays even more valuable than ever as they are now usually the gateway to many additional services used to store personal information whether it is an Apple iCloud account, a Microsoft account or a Google account. In 2014, the massive hack of iCloud accounts, known as the Fappening, had massive consequences on the celebrities live that got their intimate videos and photos leaked on the Internet. While the the over-mediatization of this leak eventually led to a massive backslash the damage was sadly already done.

Social media accounts

Protecting social media accounts is equally important as they contain, very much like email accounts, a lot of sensitive information, including photos and private messages. More over what set them apart from traditional messaging systems is the risk of having them being weaponized by hackers to spread fake news and create public embarrassment by posting on the behalf of the hacked users.

AFP Fake tweet

The most famous example of such consequence happened in 2013 when the Associated Press’s Twitter account was compromised. Hacker used the account to spread the false news that that White House had been bombed and that Obama had been injured. This resulted in a massive panic and a brief stock market plunge, which temporarily wiped a whopping $136.5bn off stocks, according to Reuters.

AFP-Stock-drop

Bank and other accounts

Banking, online shopping, and gaming accounts are less of a security risk as most electronic transactions can be reverted without any consequences and those accounts only hold limited personal information. To be clear, those accounts need to be protected but having them compromised is less harmful than having email or social media accounts hacked.

In the USf, thanks to Regulation E, users who have their online bank accounts hacked are only liable for up to $50 in loss if their notify their bank right away. If they wait up to 60 days to report the hack, the liability go up to $500 -- this is not chump change but it is still a limited damage compared to with having intimate data exposed on the Internet till the end of time. If you want to know more the consumerism commentary has a good article on the risk of having your bank account hacked.

Which accounts do users perceive as the most valuable?

Most-valuable-online-accounts

As shown in the chart above, more than one-third of all US internet users (37.8%) indeed consider that their email accounts are the most valuable. On the other hand, 28.5% of users value their online banking accounts the most, despite the limited risk associated with having them compromised. Social network accounts are a distant third, with 18.5% of the users deeming them the most valuable. Online store, gaming, and other accounts combined make up for the remaining ~15%.

Overall, the results are very encouraging, since two-thirds of respondents (66.3%) correctly identified what their most valuable accounts are. The overrepresentation of online bank accounts is probably due to the massive marketing effort made by banks to encourage their customers to secure their accounts.

How has the perception of the value of online accounts evolved between 2012 and 2018?

account-value-perception-evolution

The key change in user perceptions between the first edition of this survey, which I ran in 2012, and the 2018 version is the increase in the value of social network accounts at the expense of email accounts. Given the rise in the prominence of social media between the surveys and the importance of protecting both email and social network accounts, this was an expected and welcome change. What is a little concerning, however, is that the perception of the value of online banking accounts barely decreased during this period.

Which accounts need the best protection?

accounts-needs-best-protection

While users’ perception of what are the most valuable accounts is somewhat aligned with reality, the optics of which account should be best protected are completely out of whack. As shown in the chart above, the vast majority of users believe that their online bank accounts need the most protection. This misalignment of perception between which accounts should have the best protection (green bar) and the most valuable accounts (grey bar, from the previous section) is obviously very concerning, because it suggest that people may invest their willingness to secure their accounts into the wrong type of accounts.

Wrap-up

As illustrated in this post, users’ perceptions of the value and security of their accounts are not necessarily well aligned, especially when deciding which accounts need the best protection. As a community, it seems important that we understand the origin of those dissonances and work toward reducing them to ensure that users invest their willingness to secure their accounts into the accounts most beneficial for them. As a starting point, we could all, in our talks and tips about account security, remind people to adopt standardized two-factor authentication and to invest in security keys.

Thank you for reading this blog post till the end! Don’t forget to share it, so your friends and colleagues can also learn about account security. To get notified when my next post is online, follow me on Twitter, Facebook or LinkedIn. You can also get the full posts directly in your inbox by subscribing to the mailing list or via RSS.

A bientôt!