Smart Storytelling: Video and Text Risk Communication to Increase MFA Acceptability

Abstract

Exposure of passwords for authentication and access management is a ubiquitous and constant threat. Yet, reliable solutions, including multi-factor authentication (MFA), face issues with wide-spread adoption. Prior research shows that making MFA mandatory helps with tool adoption but is detrimental to users' mental models and leads to security-avoidance behavior. To explore feasible solutions, we implemented text-and video-based risk communication strategies to evaluate if either mode of risk communication was useful. We sought to explore users' technical biases to further examine the mental models that are associated with safer security habits. Our study of $N$ = 620 participants found that users are aware of frequent security attacks, including phishing. We found that text- and video-based communication is often useful when information is aligned with individual actions and their consequences, which can range from benign to catastrophic. Shorter mental-model-aligned video snippets piqued user interest in MFA. On the other hand, detailed risk communication videos or textual descriptions improved users' understanding of MFA and the potential risks of non-usage. Our study indicates that, beyond usability and comprehensive education, risk communication offers the potential to increase MFA adoption.