I recently heard a Google security engineer rhetorically ask himself, “Why wouldn’t we just make two-factor, mandatory?1"   
The answer was obvious: usability. Two-factor authentication can be clunky. It doesn’t always lend itself to the account-reset process. Ultimately, it’s unclear as to how many people it would drive away from Google or any other service provider if there’s too much friction. 
As of last month, only about 10 percent of the search engine giant’s Gmail users have turned on the security feature. At the time, Grzegorz Milka of Google was speaking at the annual Enigma Conference, in Santa Clara, Calif2
He was highlighting research that the search giant recently conducted with UC-Berkeley. The two discovered the risks of account takeover, finding that the “risk of a full email takeover depends significantly on how attackers first acquire a victim’s (re-used) credentials.”
Compared to “random” Google users: 
  • Phishing victims were 400-times more likely to be successfully hacked 
  • Keylogger victims were 40-times more likely to have their accounts hijacked 
  • And, data breach victims were 10-times more likely to be victims. 
The pair also found that roughly 83 percent of phishing kits collect geolocation data; 18 percent receive phone numbers, and 16 percent obtain user-agent information. These are all key data points banks use to ensure that the people logging into their web-and-mobile apps aren’t criminals.. 
The takeaway:  All of this is telling for financial institutions, all of which struggle with exactly how to balance the security they need to keep account takeover low with a service that most customers will be willing to use. So, when thinking about customer-facing security features, such as authentication and alerts, bankers need to change the conversation. 
Notice the chart below. Biometric (inherence) factors – such as Eye and Fingerprint scanning – far outrank one-time passwords and personally, identifiable information (PII) validation. That’s at least partly because these are features of convenience. Not security. 
Consumers are far more interested in streamlining their account logins, than spending time filling in birthdates or checking their text messages.  When reimagining how to authenticate customers, banks need to keep that in mind. 

About Sean Sposito

Sean Sposito is an analyst in the fraud & security practice at Javelin Strategy & Research. His primary focus is the intersection of retail banking and information security. The topics he’s keenly interested in are vulnerability disclosure, cybersecurity insurance, threat intelligence, and the overall challenges facing security executives inside financial institutions. 

Before joining Javelin, Sean worked as a reporter at the San Francisco Chronicle, the Atlanta Journal-Constitution, and American Banker, among others. As a content strategist at the Christian Science Monitor, he counseled security vendors, PR agencies, and in-house communications executives on storytelling techniques and media engagement. 

He has moderated panels at the Visa Security Summit, the ATM Debit & Prepaid Forum, the Emerging and Mobile Payments Card Forum, the Mobile Banking and Commerce Summit, and the Mobile Payment Conference, among others. He holds a bachelor’s degree from the University of Missouri’s School of Journalism. 

Stay in Touch!