Driving 2FA Adoption at Scale: Optimizing Two-Factor Authentication Notification Design Patterns


Maximilian Golla, Max Planck Institute for Security and Privacy; Grant Ho, University of California San Diego; Marika Lohmus, Cleo AI; Monica Pulluri, Facebook; Elissa M. Redmiles, Max Planck Institute for Software Systems


Two-factor authentication (2FA) is one of the primary mechanisms for defending end-user accounts against phishing and password reuse attacks. Unfortunately, getting users to adopt 2FA remains a difficult challenge. While prior work at the intersection of measurement and usability has examined how to persuade people to avoid dangerous behavior (e.g., clicking through TLS warnings), relatively little work has conducted measurements at industry scale about how to persuade people to adopt protective behaviors.

In this work, we focus on improving end user security in the wild by examining whether (1) messaging that addresses users' motivations, mental models, and concerns about 2FA and (2) UX design patterns found effective in other fields can effectively improve 2FA adoption. To do so, we conduct a series of large-scale in-the-wild, controlled, messaging experiments on Facebook, with an average of 622,419 participants per experiment. Based on our results, we distill a set of best-practice design patterns for most effectively encouraging protective behavior through carefully communicating with users about 2FA. Finally, we suggest concrete directions for future work on encouraging digital security behavior through security prompts.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@inproceedings {274586,
author = {Maximilian Golla and Grant Ho and Marika Lohmus and Monica Pulluri and Elissa M. Redmiles},
title = {Driving {2FA} Adoption at Scale: Optimizing {Two-Factor} Authentication Notification Design Patterns},
booktitle = {30th USENIX Security Symposium (USENIX Security 21)},
year = {2021},
isbn = {978-1-939133-24-3},
pages = {109--126},
url = {https://www.usenix.org/conference/usenixsecurity21/presentation/golla},
publisher = {USENIX Association},
month = aug

Presentation Video