Skip navigation
Graphics of different authentication methods overlaid on a black paper background
Duo Labs

2FA Statistics: 2FA Climbs, While Password Managers and Biometrics Trend

Duo Labs's State of the Auth report draws insights on individuals’ experience and perception of 2FA from 2FA statistics taken in America and the U.K.

Adoption of two-factor authentication has substantially increased since we began conducting this research in 2017. However, considering only 32% of respondents report using 2FA on all applications where available, there’s still ample opportunity to improve 2FA adoption.

To better understand just where there is room for improvement in 2FA adoption, use, and perspectives, this post will explore notable 2FA statistics from the most recent State of the Auth report.

What percentage of users use 2FA?

Two-factor authentication has become notably more prevalent over the last two years. Our 2FA statistics show 79% of respondents report having used it in 2021, compared to 53% in 2019 and 28% in 2017.

Graph showing responses to the question,

Two methods most often used for two-factor authentication

SMS (85%) continues to be the most common second factor that respondents with 2FA experience have used, slightly up from in 2019 (72%). Email is the second most common second factor (74%), with a notable increase compared to 2019 (57%).

Graph that answers the question,

Additionally, respondents consider SMS as the most usable second factor, followed by mobile passcodes. In this study, usability is a scale combining convenience, enjoyment, frustration, and necessary instructions.

Graph that shows the perceived security and usability of 2FA factors among respondents. SMS has a perceived overall usability of 5.46 and a perceived security of 5.73 (with 697 respondents). Mobile passcodes have a perceived overall usability of 5.27 and a perceived security of 5.66 (with 363 respondents). Push has a perceived usability of 5.27 and a perceived security of 5.49 (with 292 respondents). Email has a perceived overall usability of 5.19 and a perceived security of 5.68 (with 608 respondents). Phone has a perceived overall usability of 4.84 and a perceived usability of 5.45 (with 235 respondents). Security Keys have a perceived overall usability of 4.83 and a perceived security of 5.73 (with 79 respondents). Hard tokens have a perceived overall usability of 4.42 and a perceived security of 5.68 (with 66 respondents).

These statistics on 2FA methods are somewhat troubling, considering unsecure phone lines leave SMS as one of the least secure authentication methods. While SMS is certainly more secure than no 2FA at all, there's definitely room for improving security here. Other factors, such as push notifications and security keys, are more effective in preventing account takeovers.

2FA in the workplace drives adoption

Among respondents who are currently employed, 2FA adoption is nearly 20% higher than those who are unemployed. This gap is likely due to the growing number of organizations mandating MFA, with 62% requiring MFA for their entire workforce.

Graph that shows 2FA adoption by employment. Of 670 employed respondents, 528 are using 2FA (a 79% adoption rate). Of 368 unemployed respondents, 221 were using 2FA (a 60% respondent rate).

Users perceive banking accounts as most important

Respondents continue to have money on their mind, with 93% considering financial accounts the most important to secure, up from 85% in 2019.

Graph showing respondent's estimation of the most important accounts by category (with respondents being able to choose up to 3). 93% of respondents choose banking and investing accounts, 58% of respondents chose email accounts, 40% of respondents chose social media accounts, 39% of respondents chose health accounts, 31% of respondents chose utilities accounts, 29% of respondents chose professional development accounts, 27% of respondents chose retail accounts, 10% of respondents chose entertainment accounts, and 8% of respondents chose transportation accounts.

But in comparing user perception to reality, there's evidence that the impact of an email compromise is more harmful than a financial account compromise:

“Overall, email accounts are the most valuable online accounts as they are used to exchange sensitive information with banks, health services, and various online service providers. In addition, they are also often used as the recovery mechanism for other online accounts.” – Elie Bursztein, Cybersecurity Research Lead, Google

Non-traditional authentication methods move the needle

Two contemporary trends in primary authentication are password managers and biometrics. Password managers are a tool which securely stores a user’s existing passwords and can assist in the creation of new, more secure passwords. Instead of using something you know (username and password) as the primary factor, biometric authentication verifies identity with a user characteristic (such as a fingerprint).

In this survey, 32% of respondents report using a password manager, and 42% report using biometric authentication for at least some applications. A separate study conducted by Duo found the top two user privacy concerns about biometric authentication were attackers replicating a biometric (42%) and distrust of companies with personal biometric information (36%).

Why use 2FA?

Multiple account compromise is the norm, but it doesn't have to be. 76% of organizations experienced multiple account or credential compromises over a 12-month period. 2FA is the simplest, yet most effective way to verify that users are who they say they are. By integrating 2FA with your applications, attackers are unable to access protected accounts without the physical device needed for second facto authentication.

A successful 2FA solution protects against common, yet costly threats like:

  • Stolen passwords: A stolen password isn't good enough for a hacker to access an account anymore. With 2FA in place, they'll need an additional verification method—something the attacker typically can't input without the user's device, biometrics, or token.

  • Phishing attempts: Hackers' attempts to steal a user's login credentials through phishing emails or decoy websites won't go far with 2FA. 2FA defends against phishing attacks by adding a second layer of validation after the password has been entered.

  • Social engineering: By validating the location and IP of every login attempt after a password has been entered, hackers who've manipulated users into giving up their passwords still are unable to access the victim's account.

  • Brute-force attacks: Some hackers use tools to randomly generate passwords for an account until they input the correct sequence. 2FA's second layer of protection requires further validation from the true user, allowing them to deny the access request.

  • Key logging: Hackers who have tracked a user's keystroke and copied their password can't breach a 2FA account without being able to provide that second method of identity verification.

Explore our complete findings and more 2FA statistics by downloading the 2021 State of the Auth report.

A call to action image, encouraging readers to visit the 2021 State of the Auth Report