What happens when you deploy 2-factor authentication at a university?

"It's not actually that horrible," one survey respondent said about using a security feature called 2-factor authentication (2FA) to access their Carnegie Mellon account.

"It's like locking your doors at home or for the car when you leave," said another. "It is a pain but something that you need to do."

A team of CyLab researchers surveyed people's perceptions of 2FA as it was deployed at Carnegie Mellon, requiring anyone on CMU's payroll accessing their accounts to enter their password (factor 1) and confirm that they are the ones currently accessing their account using an app on their smartphone (factor 2). Adoption was not mandatory for students that did not hold CMU jobs, although they were encouraged.

The team, consisting of researchers in the CyLab Usable Privacy and Security Laboratory, presented its findings at last week's ACM CHI Conference in Montreal.

"CMU decided to deploy 2FA primarily to better protect our data, systems, and services by making it harder to gain unauthorized access via a compromised password," said Mary Ann Blair, Carnegie Mellon's Chief Information Security Officer. "Phishing attacks in particular were (and are) increasing in frequency and sophistication, putting more people at risk for divulging passwords."

In order to study users' perceptions of 2FA throughout the deployment, the team issued two surveys: one survey issued three weeks prior to the mandatory deadline, and one survey three months after. The two surveys totaled over 2,000 responses, and the respondents were demographically similar to the Carnegie Mellon University population.

"The surprising thing is that the reception of 2FA wasn't as bad as we thought it would be," said Jessica Colnago, a CyLab Ph.D. student in Carnegie Mellon's Societal Computing department who led the study. "We thought people would resent 2FA."

The team found three main results from the surveys:

• The majority of 2FA adopters found the process annoying but fairly easy to use, and believed it made their accounts more secure.
• Many adopters of CMU's 2FA had such a positive experience using it that they adopted 2FA for other accounts of theirs. However, due to some implementation problems during CMU's deployment, some users disliked the experience and said they wouldn't adopt 2FA for their personal accounts.
• The differences between users who were required to adopt 2FA and those who adopted voluntarily were smaller than expected.

The surprising thing is that the reception of 2FA wasn’t as bad as we thought it would be.

Jessica Colnago, CyLab Ph.D. student, Carnegie Mellon’s Societal Computing department

Based on their findings, the team offered recommendations for future large-scale deployments of 2FA to maximize its adoption. First and foremost: implement 2FA well.

"At a high level, thoughtful implementation design is crucial to lowering adoption barriers, mitigating negative consequences to users, and preventing unforeseen institutional costs," the authors said in their study.

Their second recommendation: make 2FA adoption mandatory, if possible.

"If you deploy it well, enforcing adoption won't yield the awful responses you might expect, and it will help break the preconceived notion that 2FA is awful," Colnago said. "The security benefits will outweigh any backlash you'll receive," Colnago said.

The team's final recommendation was to convince users of the value of 2FA for their accounts, and to dispel any 2FA misconceptions.

"Misconceptions can negatively influence third-party opinions and lead people to make decisions that can make the 2FA experience worse," Colnago said.

Other authors on the study included CyLab intern and UC-Berkeley student Summer Devlin, Societal Computing Ph.D. student Maggie Oates, CyLab research associate Chelse Swoopes, Institute for Software Research (ISR) and Electrical and Computer Engineering professor Lujo Bauer, ISR and Engineering and Public Policy (EPP) professor Lorrie Cranor, and ISR and EPP professor Nicolas Christin.