Driving 2FA Adoption at Scale: Optimizing Two-Factor Authentication Notification Design Patterns

Two-factor authentication (2FA) is one of the primary mechanisms for defending end-user accounts against phishing and password reuse attacks. Unfortunately, getting users to adopt 2FA remains a difficult challenge. While prior work at the intersection of measurement and usability has examined how to persuade people to avoid dangerous behavior (e.g., clicking through TLS warnings), relatively little work has conducted measurements at industry scale about how to persuade people to adopt protective behaviors.

In this work, we focus on improving end user security in the wild by examining whether (1) messaging that addresses users' motivations, mental models, and concerns about 2FA and (2) UX design patterns found effective in other fields can effectively improve 2FA adoption. To do so, we conduct a series of large-scale in-the-wild, controlled, messaging experiments on Facebook, with an average of 622,419 participants per experiment. Based on our results, we distill a set of best-practice design patterns for most effectively encouraging protective behavior through carefully communicating with users about 2FA. Finally, we suggest concrete directions for future work on encouraging digital security behavior through security prompts.