“Get a Free Item Pack with Every Activation!”

2.1 Two-Factor Authentication

While there is not much research about the combination of 2FA with incentives to adopt it, there are several studies concerning adoption rates, effectiveness and usability.

In 2014, Gunson et al. conducted a study that compared single-factor authentication (1FA) to two-factor authentication (2FA) for automated banking purposes. The 1FA mechanism required users to recall secret knowledge, a few digit PIN, on the telephone. This is common procedure for telephone banking processes. The 2FA group however was additionally tasked to enter a code that was transmitted through a hardware token. The researchers found that while 2FA was perceived more secure, it was also reported to be less usable and convenient when compared to the 1FA mechanism as it took longer and required a bit more work [23].

Cristofaro et al. made a more general survey in 2015, trying to compare different approaches to 2FA in terms of usability. They conducted a survey that recruited 219 participants on Amazon MTurk and chose to compare three different kinds of 2FA: hardware security tokens, codes send via e-mail or SMS, and apps like Google Authenticator. While all 2FA mechanisms were overall perceived as usable, most users did only adopt it because they were forced to do so (37–44 % depending on the 2FA solution), while 35–53 % were using it voluntarily. Only 9–19 % responded that they use 2FA due to incentives [14].

In 2018, Colnago et al. released a paper on how the Duo 2FA system was distributed at their university in Pennsylvania. While students had the option to adopt the system, it was made mandatory for all of the universities employees. They conducted two surveys, one before and one after the mandatory enrollment of the service, finding that most users perceived the system to be a bit annoying, but still easy to use. It also became visible that after using Duo for a while, users became accustomed to 2FA and sometimes even started using it on other accounts as well [11].

From this work, we can learn that 2FA poses an increase in cognitive load during the authentication process. This disadvantage in perception can be offset in some cases by the increase in perceived security.

2.2 Gamification

Offering in-ecosystem incentives can be considered a form of gamification.

The concept of gamification has been around since the 1980, but in 2011, Deterding et al. analytically defined the term as

The use of design elements characteristic for games in non-game contexts.

[15]

The approach of offering incentives can be considered a design element which is characteristic for games, such as a quest reward. However, the contexts in which incentives for 2FA activation are already employed are all gaming-related, so this work aims at developing gamification approaches which incentivize 2FA activation outside of the gaming context.

Gamification in security has been mostly done for training and education purposes.

Francia et al. for example developed two games about password strength and phishing awareness. They used visual metaphors like walls made from different materials for symbolizing password strength. The two games were self-explanatory and required only a short period of learning [20]. Additional work on educational games on phishing includes Anti-Phishing Phil by Sheng et al. [35], and What.Hack by Wen et al. [44].

Dabrowski et al. evaluated their own approach of enhancing university security education with gamification elements, namely leaderboards and user ranks with additional incentive for achieving the highest rank. The authors did both short-term and long-term evaluations of the system using surveys during and after the course. Results show that the gamification elements motivate the course participants to intensively engage with the course material and raise general interest in security. However, some of these effects were also attributed to the stereotype of “hacking” as something adventurous, as portrayed in the media [13].

2.3 Increasing User Motivation With Incentives

It is possible to use virtual rewards such as badges to motivate users, as Anderson et al. showed in 2013. In their study they used a website similar to Stack Overflow, generated several tasks that included different kinds of participation with the community and awarded badges for users that took part in it. Their results show that not only did the badges increase the users’ motivation and participation rates, they were also able to predict to a certain degree what a user would do [2].

Barata et al. conducted a study in 2013 where they added gamification elements to a master degree university course in engineering, including leaderboards, scores and levels. When compared to the same course in the previous year and other university courses, results showed that students and teachers seemed more content with the course and their achievements. Several other statistics such as attendance or preparation for courses also increased [4].

These studies show that incentives can be a powerful tool to motivate and steer users, even if they only exist meaningfully within a single platform. Based on the assumption that this could also be applied to incentives for 2FA that we find in video games, this is the first paper to study the feasibility of using incentives for increasing 2FA adoption for non-gaming services.

3.1 Methodology

Based on our research question, we created a 14-question online survey consisting mostly of multiple choice and Likert-scale questions. We asked participants what services from a pre-selected list they use, whether they have 2FA enabled for these services, and some general perception and usability questions regarding various 2FA methods. Afterwards, we asked about different types of incentives and how they would influence adoption as well as deactivation of 2FA.

We distributed the survey via social media and through posts in the following subreddits: r/SampleSize, r/Blizzard, r/Steam, r/WoW and r/GuildWars2. As this survey was conducted as part of a student project of one of our authors, we weren’t able to compensate the participants of this study. After the survey was evaluated, a follow-up post with summarized results was posted in the respective communities as a token of appreciation.

For the general audience, some modifications were made to the survey. First, a question about the term valve was included with different possible meanings provided to test whether or not the person would recognize it as the company behind the game marketplace Steam, followed by a second question that directly asked if the user enjoys playing video games. These were added in order to be able to better differentiate between users that were similar to the participants of the first study, e. g., having an affinity for video games and maybe already familiar with incentives, or if they were part of a more general population. We specifically asked about Valve and Steam, which might be best known to PC gamers, but less likely to console or mobile gamers. This was a conscious decision because most of the games who employ 2FA mechanics are PC-centered or even exclusive, such as World of Warcraft. In addition, questions and answer options regarding incentives were modified to include not only gaming-related options. To counter-balance our participant’s mental load of this extended survey, we chose to change our Likert-scale questions from 7-point to 5-point, trading a finer resolution with (hopefully) more accurate answers. The full question set of both surveys can be found in the Appendix.

After a pre-test with 20 personal contacts which led to minor improvements in the survey design, we hosted the modified survey on Amazon Mechanical Turk (MTurk) with the following participant requirements: Participants had to have a HIT approval rate of at least 90% and needed to be based either in Canada, Germany, the USA, or the United Kingdom. We chose the geographic locations for potential participants in accordance with our demographic sample from the gaming-focused survey. All MTurk participants were compensated with USD 2.00 for their work.

3.2 Results

3.3 General Population Sample

While we opened the recruitment to people from Canada and the UK, nobody from these countries participated in our survey. Therefore, we got 313 participants in total, with 155 from the US and 158 from Germany. After cleaning the data and removing participants who failed the attention check, we retained a total of 288 participants, with 146 being from the US and 142 from Germany. The complete demographic data can be found in Table 2.

While 92.7% of participants (95.2% from US, 90.1% from Germany) stated that they enjoy playing video games, only 62.5% (US: 62.3%, DE: 62.7%) associated the term valve with video games. For further analysis, we considered the sub-sample who recognized the company Valve as well as enjoyed gaming as our gaming sub-sample (N=179). The average age for the gaming sub-sample is at 30 years, while the non-gaming sample average at 35 years. While the gender ratio is equally divided on all mentioned genders for non-gamers (53.2% female compared to 46.8% male), there is a much larger imbalance within the gaming sub-sample where 82.1% identified as male and only 17.3% as female.

When asked whether participants use 2FA for at least one of their accounts, 85.7% agreed to do so (US: 85.6%, DE: 85.9%). The adoption rate for people from the gaming sub-sample was 87.7%. A detailed overview of account types and 2FA usage rates can be found in Table 3.

Overall, we can see that the gaming sub-sample has higher 2FA adoption rates throughout all categories. Online games have the third highest 2FA adoption rate (after banking and e-mail) for the overall sample, while in the gaming sub-sample, they are placed second highest.

After asking again about selected services, the participants were asked about what 2FA instruments they use. Again, e-mail and SMS were the most common instruments, with 35.8% of participants using e-mail and 34.4% using SMS at least once a week (gaming sub-sample: 38.0% e-mail, 40.8% SMS).

As for convenience and perceived security, SMS was ranked most convenient (μall=3.216, σall=1.783, μGSS=3.380, σGSS=1.697) and most secure (μall=2.984, σall=1.685, μGSS=2.975, σGSS=1.587). These ratings are a change from our first survey with a gaming population where Google Authenticator was ranked most convenient, and hardware tokens were ranked most secure (cf. Section 3.2.1).

For each Likert scale question we conducted a Mann-Whitney-U test and compared the ratings of the gaming sample with those of the non-gaming sample. The results were corrected using the Bonferroni-Holm method which shows that there are almost no significant differences concerning how both groups rate different 2FA methods. A notable exception to this is the convenience of service specific 2FA apps (such as the Blizzard Authenticator), which was rated significantly higher by gamers (U=7544, p<0.001). This implies that gamers are more comfortable or familiar using them.

Regarding reasons for using 2FA, the large majority of 76.0% stated that their primary reason for using 2FA is account security. This is again in line with the previous study where security was also the major concern for users.

To test which kind of incentive might be interesting for a general population we decided to phrase several ideas for incentives that were inspired by existing incentives, but modified to lose the direct gaming context and used a 5-point Likert scale to ask how likely participants would activate 2FA in this scenario. While most of these examples were closely connected to the categories we find in gaming-related incentives, i. e. cosmetic enhancements, gameplay advantages, and sanctions, we also added incentives such as one-time payments, discounts, or physical gifts to complement the selection. Results show that monetary incentives like one-time payments would be most interesting for our participants with an average score of 3.752 (σ=1.385, median=4). When differentiating between the gaming and non-gaming sub-samples, we see that gamers are more interested in gaming-related incentives like gameplay advantages with an average Likert score of 3.38 (σ=1.48, median=3) in comparison to 2.67 (σ=1.47, median=2) for non-gamers. This is supported by a Mann-Whitney-U test that shows a significant difference between the gaming and non-gaming sub-sample (U=6568.5, p<0.001). There are no other outstanding differences in the ratings for other incentives. In our first study, participants rated only three gaming-related incentives on a 7-point Likert scale. The results suggested that all were well received by users, although loss of function (σ=5.60) and gameplay advantages (σ=5.61) attracted more users than visual modifications (σ=5.01).

A graphical overview on the attractiveness of various incentives is presented in Figure 2. We can see a bimodal distribution for the permanent discount scenario with most participants of both groups finding it very likely that this kind of incentive would lead them to activate 2FA for an account. Participants from both groups found sticker sets, which we thought would correspond closely to visual incentives found in online games, very unattractive as an incentive in general. For the restriction scenario of keeping social media posts on hold for moderation unless a user has activated 2FA, we received very mixed answers.

Figure 2

Answer distributions for the question How likely is it that you would activate 2FA in the following scenarios?. Only selected incentives are presented.

To see whether incentives increase the adoption rate for 2FA, we looked again at adoption rates by service. Although most gaming-related accounts we listed in the first survey were replaced by general services, we still asked about Steam and Blizzard accounts regarding 2FA. While both have mediocre usage rates over the whole population with 54.9% for Steam and only 33.0% for Blizzard, both have high 2FA adoption rates when compared to other services. Between the gaming and non-gaming sub-samples, we see again that Steam and Blizzard have comparably very high 2FA adoption rates for all specific accounts we asked within the gaming sub-sample, i. e. 22.9% of our gaming participants use 2FA for their Blizzard accounts and 35.2% for Steam while these values in the non-gaming sub-sample are between 3.7% and 5.5%.

The 2FA adoption rates for both in the gaming sub-sample are also larger than the respective ones for all participants, where 16.3% stated to have 2FA activated for their Blizzard accounts and 23.3% use 2FA for Steam. For both the whole population as well as the gaming sub-sample these values are only topped by online banking, where 45.1% of all participants employ 2FA, and 49.2% of participants within the gaming sub-sample. Services such as Paypal, Amazon and Google Mail also have 2FA adoption rates between 28.8% and 36.3% for both groups. The other 23 specific services in the list we provided achieved lower adoption rates of at most 16.2%.

Overall we performed Fisher’s exact tests to compare the general usage rates to the 2FA adoption rates between the gaming and non-gaming samples. While we find no significant differences for specific websites, we find that participants from the gaming group are more likely to adopt 2FA for online game accounts in general (0.342, p=0.004, Bonferroni-Holm corrected for multiple testing).

5.1 Methodology

We tested the mock-up designs (cf. Figure 3) in a focus group study with 15 participants, who received EUR 10 as compensation for their participation.

The group interview contained discussion of general knowledge and usage experience of various 2FA methods, associated group rating exercises regarding simplicity, ease of use, security and likeliness of adoption. Afterwards, real 2FA incentives as well as our mock-ups were presented and discussed.

Three groups of participants were recruited through personal contacts and advertisements placed around the university campus. All participants were between 18 and 29 years old and from Germany. While the first group was an all-male assembly of five computer science students, the second group consisted of three women and two men, who also all studied computer science. The third group featured three women and two men, all participants were not enrolled into a computer science program.

In the following, we present the most important arguments and findings from our different group sessions.

5.2 Results

At the start of each session we asked participants to tell us what they knew about 2FA. While both computer science groups were able to name different methods, the third group only knew about SMS and e-mail as well as some examples from banking contexts. During the session, they seemed to have different misconceptions about what 2FA was and when it was used as they confused it with e-mails about suspicious account activities or SMS that included account activation codes.

Isn’t that sufficient? I mean, you have registered with [your phone number], so it’s a kind of two-factor authentication when they send you the confirmation code via SMS and the phone processes this code.

(A participant from group 3)

When asked about the properties of different methods, there were major misconceptions about the security of SMS. The method was perceived as very secure in all three groups with arguments such as “since they only arrive on my phone and operate on the SIM card”, or that “you cannot read the code on the lock screen, and without my fingerprint nobody can access it”. All three groups also voiced concerns about e-mail being not secure enough as they either thought hacking an e-mail inbox was incredibly easy or that it was purely depending on their password strength. This shows a lack of understanding even in the computer science groups that were otherwise able to explain not only the basic concepts of 2FA methods but in some cases also the underlying algorithms. Interestingly, although SMS was perceived as more secure than e-mail, most participants seemed to prefer the usage of an e-mail-address for 2FA and did not want to disclose their number. Authenticator apps like the Google Authenticator were mostly unknown by our focus group participants. Some people who identified as gamers reported to use them, for example for their Blizzard accounts. Hardware tokens were on the other hand very common, as many German banks require token-generated TANs for online banking transactions. An example of such a token can be seen in Figure 4. User sentiment about these generators was often negative, as our participants have experienced delays and hindrances in acquiring such a generator from their bank in the past. In addition, they report problems in generating the TANs by holding the token in front of a flickering code on their computer screen that contains the transaction information. For example, a participant from group 2 reported “it’s a fifty-fifty chance” if the device would actually work as intended. Another participant stated

It depends on what kind of token you have. If I think about my TAN generator, it’s horrible.

(A participant from group 2)

While most participants had no previous experience with hardware token, they were perceived as secure. However, participants expressed concerns about this method as the token needs to be carried in person and could easily get lost. Therefore they were rated as less convenient than other methods such as SMS.

Figure 4

A SmartTAN Optic TAN generator from a German bank. The customer’s card is inserted into the device, transaction data is transmitted through optical sensors by holding the token in front of a flickering code on screen. As a fallback mechanism, the data can also be entered through the device’s keypad. After the relevant transaction data is displayed on the screen and acknowledged by the user, the device eventually displays the TAN.

In addition, there were often different views on which methods participants would use in different cases. We saw a clear differentiation between accounts where payment data was attached or shopping history was collected, for these accounts our participants would accept 2FA rather than for “unimportant” accounts such as credentials for online forums. A de-facto consensus was the wish for a selection of 2FA methods, as then every user could cherry-pick the method they liked best.

In general, all groups seemed to agree that while rewards were an interesting approach, especially the sticker set was perceived as not good enough to weigh out the negative sides of 2FA usage, i. e. as the extra effort required and the potential disclosure of contact data. They also rejected incentives that were “too good”: Group 2 and 3 voiced concerns that a company offering rewards for i. e. a phone number required for 2FA might have malicious intents such as selling the number or abusing it for unwanted advertisements.

I would be a little skeptic whether they would sell my [phone number] later on, especially when I get something in return for [enabling 2FA].

(A participant from group 2)

Participants found the shop discount scenario very appealing, especially since it used e-mail as the second factor instead of SMS or a custom solution. Participants in group 1 and 2 explained that the shop would have their e-mail address anyway, so enabling 2FA in this case would not come with additional exposure of personal information. One participant in group 2 argued that this might abuse the situation of lower income households, basically forcing them to adopt 2FA as they would be dependant on the discount.

The inhibition of social media in the Facebook example was partially accepted as a good incentive, although some participants in groups 2 and 3 were unsure about the benefit for the users and stated that they might not use the service at all in this case as they found the inhibition to be annoying.

All three groups stated that websites that either directly handled monetary purposes such as online banking or those that indirectly handled their bank data or valuable items such as Amazon or Steam were likely candidates for 2FA adoption. Other personal information was also named, although participants deemed them not as important as websites that dealt with money. A participant from group one even explicitly stated that he would not use 2FA for dating apps, although these might hold very intimate information about a user.

Another often mentioned aspect was that participants seemed to weigh the usefulness of 2FA against the potential benefits. If a website did not hold important enough information or if a login with 2FA was required too often, they rejected 2FA usage in general. However, for i. e. a bank account, users would even use their phone number as this was deemed important enough.

Finally, participants argued that often there would be no need to lure users with rewards, but one for more explanations and educations on what 2FA is and why they should adopt it.

6.1 General Privacy and Security Perception of 2FA

We found grave misconceptions about the security of SMS. SMS messages are sent in plain text and can be easily attacked with low equipment costs [36], which is why NIST declared them insecure as a second factor in 2016, but reverted the statement in a later update [16]. Despite these security flaws, the participants in our survey as well as the focus group interviews tended to regard SMS as very secure and placed a lot of trust in the medium.

Some participant statements in the survey and the focus groups suggest that there might be a differentiation between primitive mobile phone features that use a SIM card (i. e. calling, SMS), and smartphone features that resemble typical computer applications and behaviour (i. e. apps, messaging, and web browsing) within users’ mental models. While the phone features might be regarded as more secure, the smartphone features come with similar risk perceptions as general internet and PC applications [28]. News coverage and vulnerability disclosures could have worked toward this narrative, because it is usually the phone operating system or selected apps that are portrayed as insecure, while there is no such coverage about primitive phone features.

Participants also had clear differentiation between which accounts were worth protecting with 2FA. A common pattern in our focus groups was that when monetary value or sensitive payment data (e. g. SEPA account details) is connected to an account, it becomes worthy of securing it with 2FA. In contrast, accounts which are rich with personal and intimate data but not associated with money are not deemed worthy of additional protection by our participants. This confirms prior research on the monetary value of personal data [6], [12]

This conception about data being not as worthy as actual money has been discussed before [22], and it remains open if we as a professional community should see this as a need for better concepts and communication of those, or as a field where strict consumer protection is necessary to soften the impact of these user mental models.

When it comes to handing over phone numbers, we saw some mix-up between account validation purposes and actual 2FA setup. While companies usually employ account validation via SMS to restrict automated account creation and increase the advertising value of their users’ data, 2FA via SMS has the only purpose of making the account more secure. We regard this tendency as very alarming, since we hypothesize that the practices for user data harvesting have the potential to negatively influence users’ mental models of 2FA’s security benefits.

6.2 Incentives in Gaming

While the adoption rate for 2FA in gaming services that offer incentives are rather high (cf. Table 1), we see only very small approval when asking directly about the influence of an incentive on adopting 2FA.

It could be that these gaming accounts in question are first and foremost seen as valuable accounts by our participants, since especially Massively Multiplayer Online game (MMO) accounts often contain hundreds of hours of playtime and an assortment of valuable items. The side-economy of buying and selling actual accounts for often several hundred Dollars on marketplaces like eBay or special platforms like g2g [21] gives this perception additional weight. This might make the value of gaming accounts more visible than for example, social media accounts [34].

Another approach to explain this discrepancy could be increased advertising of 2FA through the measure of incentives. Usually, gaming publishers release accompanying news and social media posts when introducing an incentive for 2FA adoption [9], [19], [38], this generates publicity and might introduce players to the concept of 2FA who haven’t been in contact with this security measure before, thus raising awareness for account security in general. These news are often further distributed by major gaming news websites such as Kotaku [33], [45]. Our findings from the focus group interviews where participants generally wished for more and better education on the subject of 2FA resound with this observation.

Besides social media posts and press releases, visual incentives in an online game are also advertising in itself. Players see new items, skins, or companions in-game and might start asking around or researching how to acquire them. This way, they also eventually reach the information about account security and might become aware of the security benefits of adopting 2FA. However, our focus group interviews have clearly shown that this mechanism only works in closed economies with a focus on collecting rare and different items. In the general online world, the attractiveness of a sticker set incentive was made highly dependant on the target group, e. g. teenagers.

6.3 Influence of Incentives on Security

When an incentive allows for reliable distinction between users who have activated 2FA and those who have not, the service provider might endanger their users who have 2FA not enabled. A well-designed incentive thus must not allow to filter users by 2FA activation.

Visual incentives in games like skins, emotes, or mini pets can be disabled, switched out, or simply not used by players. Access to restricted vendors is not visible to outsiders, the same goes for inventory space and in-game wallet.

Steam’s trading hold time for 2FA-disabled accounts is visible to trading partners, but initiating a trade needs confirmation from both participating users.

When designing incentives for non-gaming contexts, designers have to keep this security constraint in mind, especially for social features such as moderated posting.

6.4 Transferability between Gaming and Non-Gaming Contexts

Video games and especially MMOs have fixed and clear rules of value [29]. Collecting a wide variety of items, especially rare items, is deemed an important meta-goal in online multiplayer games. This pressure to collect is not as prominent in daily life in Western societies as it is in gaming communities, which has to be taken into account when discussing the transferability of incentives for 2FA.

Our focus group results have shown that especially visual incentives work better in closed-economy contexts than in the daily online world, as sticker sets were dismissed as rather special or only suitable for a narrow audience like teenagers. The general controversy about incentive types we saw in the group discussions suggests that maybe offering a range of incentives from which participants could pick the one they like best would be a golden way for non-gaming contexts. However, this would come with increased setup costs for service providers.

Our focus group results also indicate that there is a certain sweet spot about the power of an incentive. Participants acknowledged the increased pressure on low-income customers in the context of discount incentives. While all participants agreed that 2FA was a good thing in general, they were rather torn on incentives that de-facto pressured users into enabling 2FA because of powerful advantages. In addition, we observed concerns about unfair advantages or even incentives as bait for data abuse. When an incentive looked too good to be true, our participants turned skeptical and suspected a bait offer to gather phone numbers or the like. Regarding the transfer of 2FA incentives into non-gaming contexts, incentives that offer discounts or in-ecosystem advantages such as more space in the cloud might work best.

6.5 Suggested Incentives for the Non-Gaming Context

Gamers have an overall higher adoption rate throughout all categories of services we asked about. This could indicate that successfully adopting 2FA in at least one field lowers the bar for adoption in other fields.

In regard to our proposed examples for incentives mechanisms in non-gaming contexts (cf. Figure 3), we found that the shop discount was the most attractive example for our focus group participants. The monetary discount is a strong pull, and e-mail as a second factor is perceived as non-intrusive. No additional user data disclosure is needed for setting up 2FA in this case, which was an aspect that our participants highlighted as positive.

In contrast, the other scenarios we proposed were dismissed as not very attractive (sticker set), and too restrictive (Facebook posting restrictions). We were curious about the attractiveness of cosmetic incentives and thought the sticker feature of many modern messengers would be a good equivalent to gaming contexts, but it turned out that stickers have no such collection effect as weapon skins or mini pets in the gaming context might have.

Drawing from these results, we propose the following design recommendations:

1. The industry should consider monetary benefits as we found that 2FA incentives for non-gaming contexts to be attached with monetary value where applicable and effective.

2. Services should offer a set of alternatives as second factors to suit users’ needs and their willingness to accept privacy trade-offs for enhanced account security.

3. Also, as we saw the wish for more education regarding 2FA, we strongly propose some educative text or media to accompany a 2FA campaign in non-gaming contexts, as users are usually not as tech-savvy as gaming populations.