Until you have something to lose! Loss aversion and two-factor authentication adoption

Purpose – In this study, the authors seek to understand factors that naturally influence users to adopt two- factor authentication (2FA) without even trying to intervene by investigating factors within individuals that may influence their decision to adopt 2FA by themselves. Design/methodology/approach – A total of 1,852 individuals from all 34 provinces in Indonesia participatedinthisstudybyfillingoutonlinequestionnaires.Theauthorsdiscussedtheresultsfromstatisticalanalysisfurtherthroughthelensofthelossaversiontheory. Findings – The authors found that loss aversion, represented by higher income that translates to greater potential pain caused by losing things to be the most significant demographic factor behind 2FA adoption. On the contrary, those with a low-income background, even if they have some college degree, are more likely to skip 2FA despite their awareness of this technology. The authors also found that the older generation, particularly females, to be among the most vulnerable groups when it comes to authentication-based cyber threats as they are much less likely to adopt 2FA, or even to be aware of its existence in the first place. Originality/value – Authentication is one of the most important topics in cybersecurity that is related to human-computerinteraction.While2FAincreasesthe securitylevelofauthenticationmethods,italsorequires extra efforts that can translate to some level of inconvenience on the user ’ s end. By identifying the associated factorsfromtheuser ’ sends,anecessaryinterventioncanbemadesothatmoreusersarewillingtojumponthe 2FA adopters ’ train.


Introduction
Authentication is one of the most important topics in computer security, especially the one that is focusing on human-computer interaction. In principle, authentication is a security measure to enforce confidentiality as it allows a device or a system to verify the identity of someone who tries to access some resources within a computer [1], an information system [2] or networks [3]. While the use of passwords as an authentication method has been around since the earliest days of computing, it is still the most common authentication method today despite the fact that numerous security incidents related to the use of weak passwords [4,5]. Many have tried to increase the security of password-based authentication method by enforcing users to use only strong passwords that are long and a mix of alphanumeric and special characters (i.e. lowercase letters, uppercase letters, numbers and symbols), but even that seemed to be not enough to prevent many password-related data breaches and other security incidents that have caused huge financial losses [6,7]. It is partly due to the practice of reusing the same passwords by many [8,9]. After all, no matter how strong a password is, it is still a single-factor authentication that relies only on "something you know".
A two-factor authentication (2FA), on the other hand, increases the security level of authentication methods by using a different approach. Instead of hardening the one factor (i.e. passwords) used in the authentication process, it adds another factor in the form of "something you have" that is usually a physical item (e.g. a security token, a bank card, a key or a smartphone) or "something you are" that makes use of user biometrics (e.g. fingerprints or irises) on top of the existing password-based authentication method. While adopting 2FA arguably increases security by far, it puts extra efforts that can translate to some level of inconvenience on the user's end, particularly on technical aspects like device remembrance, fragmented login services and authentication timeouts [10]. As such, the adoption rate of 2FA is not that great. For example, a study in 2015 shows that only 6.4% of Google accounts that were part of the data breach a year before had adopted 2FA [11]. Even when some tried to enforce the use of 2FA, it was not always received with open arms by the users [12][13][14]. Another fact that did not help the cause for 2FA adoption is that some users had a misconception that they would not need to adopt 2FA because of the existence of other security measures such as HTTPS despite the two work differently and are complementary instead of substitutes for each other [15]. Clearly, something needs to be done on this matter. Understanding factors that can help promote 2FA adoption from the user's end is a priority should we want to have more people on board. Some researchers have tried to come up with nonassertive approaches of intervention to help promote 2FA adoptions, either by developing stories [16], video tutorials [17] or even by giving out some incentives in the form of a digital item [18].
While the aforementioned studies tried to intervene users in adopting 2FA, this research aimed to step back and explore factors within individuals that may influence their decision to adopt 2FA by themselves. In other words, in this exploratory study, we try to understand factors that naturally influence users to adopt 2FA without even trying to intervene. Our main research question in this paper is: What internal factors predict 2FA adoption among Internet users? We are particularly interested in investigating the roles of demographic factors, especially income and educational attainment on 2FA adoption. In doing so, we use the notion of loss aversion [19,20] as the point of departure. By identifying the associated factors from the user's ends, further research can pick it up to investigate and propose some necessary, more appropriate and cost-effective interventions that can help persuade more users to jump on the train of the 2FA adopters.

Literature review 2.1 Loss aversion and cybersecurity behaviors
Loss aversion refers to the condition in which individuals prefer to avoid losses than to acquire the equivalent gains [20]. It is the case due to the disutility curve of losing something is steeper than the utility curve of acquiring it [19] that makes losses loom larger than gains, the pains of losing something more intense than the pleasure of gaining it [21,22]. Interestingly, this notion also holds true for circumstances where losses are just mere frames. In this respect, there is no actual difference in the expected outcomes, however, individuals still irrationally prefer the situations in which losses can seemingly be avoided. For instance, ACI in a thought experiment of choosing a program to end a deadly pandemic [23], the majority of participants favored the one that can save 200 out of 600 lives for sure (option 1), over the alternative that has 1 / 3 probability to save all and 2 / 3 probability not to save all (option 2). Yet, when the choices were framed in the opposite way, the majority favored the one having 1 / 3 probability to cause no deaths and 2 / 3 probability to cause 600 deaths (option 3), over the alternative that causes 400 deaths for sure (option 4). In the latter case, the participants were willing to take the risk since there was still a hope, though having only a little chance, not to lose lives at all.
On the bright side, loss aversion motivates individuals to engage in behaviors that prevent such losses and thus can be used as a nudge [24]. For example, when good grades were given in the beginning instead of at the end of the semester, students studied harder and performed better to keep their good grades from any deductions should they make errors throughout the semester [25]. In the online context, loss aversion can be utilized to encourage users to be more sensitive to cyberthreats and implement more cybersecurity measures. For instance, in a lab experiment of potential cyberattacks in online shopping, users exhibited more secure behaviors such as using a secure connection, generating a strong password, limiting shared personal information, choosing trusted vendor and logging out after session, when they were notified with a loss-framed message, "you could lose part of your final endowment", than with gain-framed messages, "you could win [the] maximum final endowment", a priori [26, p. 4]. Indeed, this loss-frame type of message may affect different users in different contexts differently. In online games, it worked effectively in influencing users to change their password should they be future oriented, wanting to keep playing the game in the future, rather than past oriented, embracing memories of playing the game in the past [27].
Considering that loss aversion drives people to play safe, this notion arguably has a stronger effect on those who possess a higher value of endowment than those who do not even have one in the first place. This argument is especially relevant to illuminate the potential roles of income in the 2FA adoption. With income used as a proxy to measure utility of one's endowment [28][29][30] and the adoption set to be the point of reference, choosing to implement 2FA will protect users against or at least lower the probability of being targets of cybercrimes that can cost them their endowment as past studies highlight [see 6,7]. This decision however will not give the users further direct incentives other than feeling safer. Choosing not to implement 2FA on the other hand, will increase the probability of being subjects of such crimes while also delivering the same aforementioned incentive. This set of choices then leaves the values of potential losses as the discriminant. In this respect, the higher the income, the more utility the users would give up, the more painful they would feel should such incidents happen. On the contrary, the lower the income, the less utility the users would give up, the less painful they would feel should the same incidents happen. Thus, users would be more likely to adopt 2FA should they have higher income and less likely to adopt it should they have lower income.

Education levels and cybersecurity behaviors
Having a college degree does help one make substantial gains in critical thinking [31]. It might translate well to users' willingness to accept a slight inconvenience of adopting 2FA in exchange for the peace of mind from getting a better security on their accounts. This argument is in line with the fact that users with higher levels of education tend to be more aware with cyberthreats and cybersecurity than users with lower levels of education [32,33]. Indeed, attending college does increase the probability to get exposure to cybersecurityrelated training and its cutting-edge technology including 2FA [12][13][14]. On the other hand, many studies have pointed out that higher education is one significant factor behind social inequalities and social mobility, both of which are highly related to income [34][35][36][37]. Taking these findings into account, we expected that higher education would be associated with a higher 2FA adoption rate and that this association would interact with income.

Gender and generational gap in cybersecurity behaviors
Past research has revealed that females are less likely than males to implement stronger cybersecurity measures [38]. For instance, in an Australian university, female students tended to use alphabetic or numeric characters only for their email password, which is considerably weaker, while male students tended to use the combination of alphanumeric and symbols, which is considerably stronger [39]. In various organizations and companies in the United States, female employees reported more behaviors that are prone to security threats and cybercrimes such as not using different passwords for different social media accounts, opening email attachments from strangers, sending sensitive personal information via email and clicking unfamiliar short URLs posted on social media sites [40]. This discrepancy is in line with the fact that women are underrepresented in both science, technology, engineering and math (STEM) majors and workforce including cybersecurity [41]. On the other hand, past research has also revealed a generational gap in cybersecurity behaviors. In this respect, elderly people tend to be less knowledgeable with cybersecurity measures and less familiar with possible crimes associated with cyberthreats [32,33]. In light of those findings in the literature, we expected females and elderly people to be less likely to adopt 2FA. Thus, controlling for both gender and age variables is important in examining how sensitive income and education are in predicting 2FA adoption.

Participants
An online survey was conducted in 2020 as part of a larger study about cybersecurity awareness and behavior in Indonesia. A total of 1910 participants, coming from all 34 provinces of Indonesia and recruited through social media (e.g. WhatsApp, Instagram, Facebook, Twitter), gave their consents and filled out the questionnaire in the study. As this study was aimed at the general public, all Indonesians aged 13 years and older were eligible to participate in this study. The questionnaire was delivered in Indonesian language using Google Forms. We excluded some individuals due to duplicates, incompleteness or missing values within their responses and the final dataset consists of 1852 participants. Table 1 shows a summary of demographic information of participants in the study.
3.2 Measure 3.2.1 2FA adoption. To measure the 2FA adoption, participants were asked whether they use 2FA or not, with three options of answer: "I have no idea what 2FA is", "No" and "Yes". We then categorized participants into three mutually exclusive groups based on their response: (1) not aware of 2FA (I have no idea what 2FA is); (2) skipping 2FA (No) and (3) adopting 2FA (Yes). The reason behind this categorization is that 2FA is not activated by default. Thus, it is highly improbable for someone to adopt 2FA without knowing of its existence in the first place. We did not ask participants to specify further on which applications they implement 2FA if they use one. In other words, it could be anything from their email or social media to banking or other financial services.
3.2.2 Income. We asked participants about their monthly income and categorized them into low-, middle-and high-income categories based on their responses. We used the annual nontaxable income in Indonesia, rounded to the closest million IDR, as the cutoff. Income is used as a proxy to measure potential financial losses that may elicit loss-averse behavior.

ACI
Higher monthly income means greater values of potential disutility that will be given up should such cyber incidents happen.

Other demographic factors.
We asked participants about their educational attainment, to which we categorized them into two groups: those without a college degree and those with some college degree. Higher education is used as a cutoff due to the reasons discussed in the literature review. We also asked participants to indicate their gender and age.

Data analyses
To explore the extent to which the 2FA adoption rates vary across different demographic factors, we conducted a series of bivariate analyses with chi-square tests. We then used a multinomial logistic regression model to check if the differences as indicated in the descriptive statistics and the bivariate analyses are also statistically significant in a multivariate way. In doing so, we used no awareness of 2FA as the base. Such significant findings thereby should be interpreted as the likelihood of respected factors in predicting being aware of but not adopting 2FA vis a vis with being aware of and adopting 2FA. As explained earlier, we planned to examine the interaction between income and education. All statistical analyses were performed in STATA 15.1.
As a form of sensitivity analysis, we also conducted a two-step logistic regression with the same model to the dataset. In the first step, we used all samples (n 5 1,852) to predict user awareness of 2FA. In the second step, we exclude all individuals with no awareness of 2FA to predict user adoption of 2FA among those who are aware of its existence (n 5 1,039) using the same model. Furthermore, to check for any problem with the sample bias in our dataset, we also repeated all analyses above with a smaller sample size (n 5 429) where we randomly omitted some individuals from the overrepresented groups (i.e. females and young people Loss aversion and 2FA adoption aged between 20 and 29 years) in the dataset to give a more balanced distribution that resembles the overall Indonesian population better [42]. The datasets and the STATA code are available as open access supplementary materials in our GitHub repository (https:// github.com/ahmadrafie/2fastudy).

Results
As shown in Table 2, more participants were aware of the existence of 2FA (66.1%) than those who were not (43.9%). Meanwhile, only two third of those who were aware of its existence decided to adopt it. As indicated in Table 3, the results show that males had a higher rate of adoption of 2FA compared to females (χ 2 (1, n 5 1,852) 5 93.66, p < 0.001), while a higher proportion of females were unaware of 2FA (χ 2 (1, n 5 1,852) 5 76.84, p < 0.001). In terms of age, participants in their 30s or 40s had higher rates of 2FA adoption compared to other age groups (χ 2 (3, n 5 1,852) 5 13.99, p 5 0.003). Whereas most of the older participants in their 50s or 60s were not aware of 2FA (χ 2 (3, n 5 1,852) 5 10.05, p 5 0.018). There was a higher frequency of participants without a college degree among those who were unaware of 2FA (χ 2 (1, n 5 1,852) 5 4.50, p 5 0.034) whereas no significant difference was found in educational attainment among those who were adopting 2FA (χ 2 (1, n 5 1,852) 5 2.86, p > 0.05). In terms of income, the low-income group had the lowest rates of 2FA awareness (χ 2 (2, n 5 1,852) 5 19.36, p < 0.001) while the opposite is true for the high-income group who had the highest rate of 2FA adoption (χ 2 (2, n 5 1,852) 5 48. 35 Table 3.
2FA awareness and adoption rates in groups of participants ACI Figure 1 presents the 2FA adoption rates viewed through the intersection of income and education level. Compared to their peers of the same category, the majority of low-income participants with no college degree were not aware of 2FA. In contrast, the majority of highincome participants with college degrees were already adopting 2FA. The rates of 2FA awareness and adoption exhibited an upward trend with increasing levels of income. An early indication that loss aversion is at play in the 2FA adoption. Table 4 presents the multinomial logistic regression, which shows that high income significantly predicts awareness and adoption of 2FA. Also, it interacts with education. Users with no college degree but have a high-income background tend to be aware of and adopt 2FA. In contrast, users with some college degree but have a low-income background tend to skip 2FA despite being aware of it. These significant findings still hold true even after excluding the control variables (i.e. gender and age) from the model ( Table 5 in the supplementary materials). The latter of which shows that being female and older is significantly associated with no awareness of 2FA let alone adopting it. The subsequent sensitivity analyses presented in the supplementary materials, both with the two-step simple 1,852 Note(s): Numbers reported are the risk ratio (RR) with the standard errors (SE) *p < 0.05. **p < 0.01 ***p < 0.001; Reference category: no awareness of 2FA  Loss aversion and 2FA adoption logistic regression analysis ( Table 6 in the supplementary materials) and with a smaller yet more balanced sample size (Table 7 and Table 8 in the supplementary materials) showed that the results from multinomial logistic regression are robust. The interaction terms between education and income (Figure 2), do play an important role in 2FA adoption.

Discussion
Our findings indicate that not only does income play an important role in 2FA adoption with some interactions with education but also that income plays the most important role in the model. Those with a high-income background, with or without a college degree, have the highest probability of adopting 2FA. This finding is consistent with the notion of loss aversion, that motivates individuals to exhibit behaviors to prevent such losses [25] including in the cybersecurity context [26,27]. In this respect, the higher the income, the more likely people will adopt 2FA despite all the inconvenience that comes with it. People with a highincome background will, thus, suffer the most should security incidents that cause financial loss happen. Meanwhile, users with a low-income background, despite having a college degree, tend to skip 2FA since the expected pain associated with such losses is not as painful as that of those with a higher income. In a more extreme case, some people may not even feel the pain at all considering they have nothing to lose in the first place. Instead, this group of people may perceive 2FA as an extra burden on top of the existing single-factor authentication that usually requires them to memorize passwords. As such, the inconvenience of activating 2FA is much greater than the benefit they can perceive. Thus, it does make sense if these users decide to skip 2FA as they do not see any urgency of adopting it even if they are aware of its existence.
In this study, we control for both gender and age as the past research highlighted their roles in explaining the variations in cybersecurity behaviors [32,38,40]. This reveals that our model is robust with respect to the aforementioned factors, and it also helps us identify which demographic groups are the most prone to cyberthreats, especially the authentication-based ones. In this regard, the risk ratios for females showed that they are much more likely to have no awareness of 2FA than males. This finding may be the manifestation of, as past studies assert [41], the low representation of women in STEM majors. Thus, even though they are attending college, women still have lesser opportunity to get exposed to information about 2FA let alone adopting it. Unfortunately, we did not have enough data such as college majors to provide further evidence for this idea.
In terms of age, the results indicate that people are somewhat less likely to have no awareness of 2FA as they get older. Perhaps, it is because they are more likely to have a higher income than the teenagers or full-time students that made up a big chunk of  Figure 2. Probability of having no awareness of 2FA (left), skipping 2FA (center) and adopting 2FA (right) based on the interaction terms between education and income ACI participants in this study. This idea is in line with the finding that income is the most important variable in the model in predicting 2FA adoption. However, among those who are aware of its existence, people are also less likely to adopt 2FA as they get older. As in the past study, it could be attributed to the existing cybersecurity knowledge divide between the older generations, especially those in their 50s or beyond, and younger generations [33].

Conclusion
This study has shown that loss aversion, represented by income as the endowment, is indeed an influential factor behind 2FA adoption. Regardless of their gender, age and education level, those with a high-income background are more likely to be adopting 2FA, whereas those with a low-income background, even if they have a college degree, are more likely to be skipping 2FA despite being aware of its existence. We have also revealed that the older generation tend to be the most vulnerable demographic group from authentication-based cyber threats as they are among the least likely to be aware of the existence of 2FA let alone adopting it to protect their digital accounts. This issue is particularly of greater concern for females compared to males.

Theoretical and practical implications
The fact that this study used no intervention in examining the 2FA adoption brought with it some important implications for practice. Perhaps developers, employers or other institutions may not need to give neither bigger incentives nor stricter enforcement like past studies documented to promote 2FA adoption [12][13][14]18]. As such, it is more likely to happen organically once the users have something to lose and that something's value is higher than the inconvenience associated with adopting 2FA. What needs to be done is remind the users of the value that they will have to give up should such incidents happen as a result of skipping 2FA. In this study, we use income as the proxy to measure the endowment. In other contexts, it may be other things that they value as much as income such as very private/personal information. Moreover, should intervention be utilized, we suggest emphasizing on potential losses of valuable endowments that users may experience by skipping 2FA. Indeed, making 2FA adoption look easy is important [16,17] and yet, as we found in this study, even those who are more educated and are aware of 2FA existence will still be less likely to activate it until they have something to lose in the first place.

Limitations and future work
With respect to sample size and sampling method, we argue that the results are considerably adequate for generalization, particularly in the Indonesian context. However, there are some limitations that should be recognized prior to doing so. First, we did not ask participants to specify further which applications that they implement 2FA on. It could be the case that some activate 2FA for more sensitive and risky applications such as internet banking and other financial services, but not for any other applications they deem less sensitive and riskless. We suggest that future studies measure this variability and examine if the effect of loss aversion holds true for all types of applications.
Second, this study is observational by nature. Thereby, even though the results are promising, any causal inference should be proceeded with caution. We also suggest that future studies incorporate college majors or academic disciplines to investigate if the gender gap in 2FA adoption or any other cybersecurity awareness issue is indeed due to low representation of women in STEM majors. As such, we highly recommend that future researchers replicate this study in other countries and examine other endowments. For example, it would be interesting to examine the difference between given and acquired endowments.
Finally, this study did not consider any nondemographic factors in predicting 2FA adoption. Future research might integrate the findings from this study with some relevant latent independent variables from the literature. For example, protection motivation [43], threat avoidance [44], risk-based decision-making [45] or risky cyber behavior [46] among others. Doing so will arguably help provide a better understanding of why people do or do not adopt 2FA to protect themselves from any authentication-based cybersecurity threats.