Many users prefer convenience to security even with DigiD
Last month, the Dutch government published the report of its latest survey of electronic government. The report provided further evidence of the security and login paradox highlighted by our own survey of Trends in Online Security & e-Identity. Even if people recognise that a given login method is less secure, they will still use it if it's convenient.
84 per cent of logins don't involve 2FA
Data on DigiD and two-factor authentication (2FA) confirms that the vast majority of logins are single-factor. Dutch consumers regard DigiD as one of the most secure ways of logging in, especially if a second authentication factor is involved. Yet very few of them actually opt for 2FA: 84 per cent of DigiD logins are made using only one factor.
DigiD app has the biggest reach
What makes reluctance to use 2FA particularly surprising is that a DigiD app is readily available. In our mobile-dominated communications landscape, apps are the way of reaching a big audience. And the DigiD app has been the most widely installed Dutch government app since summer 2018, when 7.9 per cent of the public were found to have it on their phones. By the end of last year, the figure topped 10 per cent. Nevertheless, only 3 per cent of logins make use of the app. In other words, the app's popularity hasn't led to more secure login behaviour.
Ignorance and convenience
Part of the explanation is that a disproportionately large number of people accessing government services do so using PCs and laptops, rather than mobile devices. Another issue is that many people don't realise that they can use 2FA. Much of the problem, however, is that people simply prefer convenience. The use of 2FA is rarely mandatory, and single-factor authentication is less trouble.
Big gap between awareness and behaviour
DigiD is used mainly for accessing government services. Our research shows that a sizeable majority of consumers are aware of 2FA and want to use it; only 6 per cent of respondents described it as unnecessary. In practice, though, they rarely opt for 2FA. So there's a big gap between awareness and behaviour: consumers have the knowledge, but don't act on it.