Vast Majority of Users Don't Use Two-Factor Authentication: Survey

Only 28 percent of users actually use a second method of identifying themselves on any of their online accounts, according to a survey conducted by authentication firm Duo Security.

Two Factor Authentication Ignorance.

Despite a steady diet of news coverage of major data breaches, more than two-thirds of people have never used two-factor authentication—a second way of identifying themselves when logging into an online account, according to a survey-based report published by Duo Security on Nov. 7.

The report found that 28 percent of Americans had ever used two-factor authentication (2FA), up from 23 percent in 2013. Students and those currently employed are more likely to use 2FA.

Older individuals and women were less likely to use a form of the technology, the survey found. Duo Security designed the survey to be very representative of the overall U.S. population.

Perhaps most shocking for the security industry is that 56 percent of respondents did not even know about two-factor authentication prior to the survey.

"I think that the media does a good job of covering these breaches and about what type of information is leaked,” Olabode Anise, a data scientist with Duo Security, told eWEEK. “But the follow-on needs to be how they can protect themselves and the benefits of two-factor authentication.”

With passwords widely considered to be insufficient to protect online accounts, security experts increasingly urge people to use a second factor when logging onto online. By far, the most popular method of confirming the identity of a user is to send an SMS text message to a pre-registered phone number, with about 86 percent of 2FA users working with the technique.

Yet, the National Institute of Standards and Technology (NIST) has warned that SMS as a second factor can be compromised and has urged online services to use other methods. The use of SMS is actually down since 2010, from 90 percent. The use of a hardware token, such as a one-time password generator, is down as well, from 38 percent in 2010 to 19 percent today, according to Duo Security’s survey.

Authenticator apps, push technology and security keys are all on the rise, however. Smartphone applications that generate one-time password codes, such as Google’s Authenticator app, have been used by 52 percent of 2FA users, up from 46 percent in 2010.

While Duo Security assumed that most individuals started using a second factor because of employer requirements, in reality most people—54 percent—have voluntarily started using the technology, compared to 29 percent that started using the technology because it was required, according to the survey.

“This was a much higher percentage than we could have estimated,” the report stated. “We anticipated a similar percentage from our 'involuntary' option since we assumed most people began using 2FA because of their employer.”

Getting more people to use two-factor authentication is important, but they also need to know the difference between the various technologies, Duo Security’s Anise said.

“We still have a long way to go to teach people about the difference between 2FA technologies and methods,” he said. People who do know about 2FA understand they use a second factor, but they don’t necessarily know about the different types of second factors, Anise said. "If we can do that, that would be one of the bigger wins,” He said.

One other interesting data point from the study was the way Duo Security validated the respondents. As a way to gauge the attentiveness of the respondents, Duo Security asked each to check the box labeled “very unhappy.” Only 77 percent of the survey takers followed directions. Duo only included the attentive respondents in the survey.

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...