Two-Factor Authentication Statistics: A Good Password is Not Enough

Jimmy’s email was just hacked. The next day he woke up with a bunch of charges on his credit card he was certain he never made.

Jimmy is frustrated and irritated. But what he doesn’t know is that a simple two-factor authentication app could have saved him from all of this trouble.

He used the same password for all of his accounts and didn’t implement any additional layers of security to protect his info.

If you don’t want to end up like Jimmy, read on to find out the latest two-factor authentication statistics and learn how to better protect your accounts.

What is Two-Factor Authentication?

Two-factor authentication is an additional password you need to enter before you can access your account. It is an extra security layer that many services and websites offer as an optional addition to their standard login process.

The way 2-factor authentication works is pretty straightforward:

Each login attempt to an online service requires verification by the account owner.

The process is completed by either inputting an additional code that’s sent to you, or by clicking on a notification. Once the login is confirmed, the login attempt is authorized.

The details of the process may vary, but the idea is the same - it’s a second layer of security that, even in the case of password theft or data breach, can keep unauthorized users out of your account.

The setup is usually completed in a few clicks. All you have to do is select “dual-factor authentication” from the menu of the website, and confirm the method you wish to use later to verify your identity. Services can even “remember” the machine you’re logging in from, so the process needs to be repeated only if you access the account from a different device or location.

Types of Multi-Factor Authentication

Depending on the service and computer system, authentication doesn’t always work the same way. In fact, there are multiple ways to use multi-factor authentication, some of which involve a separate offline device. Some methods are more complicated than others, and two-factor authentication requirements might differ depending on the method you use.

Here are the current types of multi-factor authentication:

• Push notification: You install an authenticator app on a device that sends you a notification whenever there is a login attempt. The app sends your response to the server, allowing or denying access to the service. These apps are usually made by the services themselves and often show the IP address or estimated location of the person attempting to log in to the account. Push notifications are the fastest and easiest to use but require an internet connection. According to the latest two-factor authentication statistics, this is the most common method.

• One-time-password: This is usually a six-digit code generated via an app. The code can either be created at the moment you log in, or the app constantly swaps new codes in sync with the internal server clock. These apps work offline and are fast to set up. The only downside is that you need to manually type in the code.

• Email/SMS code: This is similar to the OTP method, but the code is sent to your email address or as a text message to your phone. Sometimes, an email message can include a one-click-login link that skips the whole username and password ordeal. Email is being phased out as an authentication method since it can be easily hacked.

• Two-factor token: This  physical device works completely offline, and it is one of the most secure methods of multi-factor authentication since the hacker would need to steal it from their target to gain access. Tokens can either generate one-time-passwords, or work as USB keys that, upon connecting to the computer, unlock access to the account they’re registered to.

• Biometrics: This method is relatively new, and therefore does not have such a widespread use as other methods. Biometrics include fingerprints, vocal and facial recognition, and they are considered to be the most difficult to crack. Setting up biometric verification is, therefore, a long process, as it involves additional apps and scans before it can be put to use.

Multi-Factor Authentication Benefits

Why do you need multi-factor authentication? There are several reasons - some more obvious than others - but in general, it is a way to improve security and usability without hindering any features of the service you are trying to access.

Here are some key benefits:

• Security is the most obvious benefit of using two-factor or multi-factor authentication. The more difficult it is to steal an account, the more secure it is. Two passwords mean twice the work for the attackers. Simple.
• Ease of access is another great reason to use two-factor authentication. Accessibility and reducing stress from having to remember dozens of passwords is another key benefit. Some experts believe this can, in certain business environments, even reduce operational costs and increase productivity.
• Compliance with certain standards inside of an organization is the final key factor. A company with a uniform login system is less prone to security mishaps.

Two-Factor Authentication Software

You don’t need to be a skilled hacker, nor a corporate user to get access to the most popular 2FA software on the market. In fact, most of the best apps are completely free.

Currently, there are many authenticator apps on the market. Most of them are designed for smartphones running on Android and iOS, but there are a few here and there designed exclusively for PCs. We’ll go through the most popular ones and describe how to set up 2FA on each of them.

Google Authenticator

Google Authenticator is the most-commonly used authenticator app. Like other apps of this caliber, this one works with pretty much every service and website offering 2FA. That includes Facebook, Dropbox, some video games and, of course, Google’s own services like Gmail.

This is a very simple, easy-to-use app. Once you download it on your iPhone or Android device, just enable two-factor authentication on the service you’re using and scan the QR code or enter a verification code if the service doesn’t provide QR codes. The codes should immediately start generating for that service and most of the websites will ask you to input the code on your screen.

LastPass Authenticator

When an app is advertised as “the only authenticator app you’ll ever need,” one tends to be skeptical. Luckily, LastPass works just like advertised and it works even without requiring the user to input any codes. Unlike Google’s two step verification, this app works its magic via push notifications. When you log in to a connected service, you’ll receive a notification on your phone to confirm or deny the login attempt. It’s very handy for detecting service breaches, too.

Setup is a little slower, though. You will need a LastPass account, and a browser extension if you want to connect your desktop LastPass app with the browser and enable one-tap login for the supported services. After everything is up and running, all you have to do to log in is to tap a button on your smartphone.

Microsoft Authenticator

Microsoft also has its own two-step authenticator app. It works on Android, iOS, but also on Windows 10 (both desktop and mobile), and combines the features of Google and LastPass authenticators into a multi authentication app.

The setup for most of the services and websites works exactly like with any other similar app - you enable dual-factor, scan a QR code or enter a verification key, and off you go. If you have a Microsoft account you can enable one-tap notifications and skip entering codes altogether. Visually, it’s very similar to Google’s app, with a small addition of timers showing exactly how many seconds remain until a code changes.

Dual-Factor Authentication for Gamers

Ever since the online gaming boom, hackers have been on the hunt for unprotected gaming accounts to snatch and resell for a quick buck.

World of Warcraft accounts have always been the hottest commodity on the black market, since some of them could be worth hundreds or even thousands of dollars. Blizzard, the developer of the game, has therefore created a multifactor authentication device that was fully offline but still generated codes for a two-step login. This device had a unique code you needed to enter to connect to your Blizzard account. The internal clock of the device matched the clock on Blizzard’s server, thus enabling the gamers to safely log in to their accounts. This was later replaced by a free mobile app that offers both eight-digit codes and one-tap notifications.

Another popular platform, Steam, has its own authenticator app. Steam is the biggest store for digital PC games in the world, offering tens of thousands of video games for millions of users. Therefore, a secure login system needs to be in place. The solution was two-fold and completely integrated into Steam’s mobile app that also allows for game purchasing and connecting with your gamer friends. Steam Guard is the first building block, a code generator that creates short codes from both letters and numbers, but afterwards sets the computer as “known” so the user doesn’t need to retype their password. If you lose your account, the second safety is triggered: mobile confirmation. Without completing this second confirmation, some features of the platform are blocked. Steam Guard codes need to be entered every single time you make a purchase, so there’s no possibility for a hacker to empty your wallet through Steam.

Two-Factor Authentication Statistics

With 68% of use, mobile push notifications are the most common authentication method.

(Duo Security)

The most popular multi-factor authentication solutions in 2019 were push notifications, with phone calls ranking the highest. SMS passcodes continue to be on a strong decline, especially with the rise of SIM-swapping which is already causing problems for people that use their phone numbers as a way of authentication. In fact, more people use hardware tokens than one-time-use codes sent as a text message.

19% of government agencies use hardware authentication tokens.

(Duo Security)

Industries rarely use the hardware two-factor token as their prefered method of account protection. However, the federal government is most-likely to incorporate devices into their MFA security plan. After all, these organizations operate with the most sensitive data in the country, so, for them, there’s never enough security. Among other industries, only the financial sector has reported using hardware tokens, but even this usage is only at 4%. Banks with two factor authentication are least-likely to use phone calls for their security, preferring passcodes and push notifications.

Only 26% of companies use multi-factor authentication.

(LastPass)

Strong cyber security, unfortunately, isn’t high up on the list of priorities for many companies in the United States. The most recent usage statistics for two factor authentication show a low number of small and large businesses using multi-factor authentication tools. Since companies are now more likely to be targeted by cybercriminals, every layer of additional protection matters.

77% of mobile devices have biometric security enabled.

(Duo Security)

Every time you unlock your phone with your fingerprint, you’re using its biometric security function. Experts believe we’re headed towards a passwordless future, where we won’t have to type in any codes, but instead we will just use our fingerprints, retinas, or even our voices to confirm our identity. Some of these tools are already available on our smartphones - Face ID, Touch ID, Android fingerprint, Windows Hello etc. For now, though, your password is still what matters most.

61% of people use the same password on multiple services.

(LastPass)

One of the rules for good account security is to never reuse a password. That way, you can prevent losing another account in case one of the services suffers from a security breach. Hackers, more often than not, will try to use your login credentials on popular platforms, trying to steal even more data this way. Unfortunately, the majority of people have reported they don’t rely on a variety of passwords, but instead they use the same one multiple times.

81% of security breaches are due to weak or stolen passwords.

(LastPass)

Which passwords are considered weak? A password is weak if it includes repeating letters and/or numbers, sequences, or common phrases such as: “admin,” “i love you,” and “password”. Security reports gathered from breaches revealed that internet users don’t think too hard when it comes to creating a secure password. Therefore, once that login is stolen, it’s easy for hackers to grab even more in one fell swoop.

Phishing emails are successful 47% of the time.

(Duo Security)

An average internet user might be more savvy today than he was a few years ago. But, without secondary authentication he is still likely to fall victim to a phishing attack. In a test run by Duo Security, from more than 4,000 phishing campaigns, nearly half of them captured at least one set of credentials. While this may sound like a disappointing result, it actually shows significant improvement. In 2017, the same test had a 65% success rate, so a drop this significant shows that users are getting better at distinguishing fake emails from legitimate ones.

5% of internet users are fooled by phishing emails.

(Duo Security)

The same experiment by Duo Security revealed some interesting facts about user behavior when they receive a phishing email. One in three recipients, for example, will open the email, while 17% of recipients click on the phishing link embedded in the body of the message. But, only a handful of people have entered their account information, showing a significant improvement year-on-year.

An average employee has to remember 27 passwords.

(LastPass)

We already have a lot on our minds while we’re at work. Overwhelming your employees with a truckload of passwords does not lead to a more productive or secure environment. Researchers have found out that, in companies with 250 employees, a staggering 47 thousand passwords are always in use. That’s why more and more businesses rely on password-keeping apps that can also generate more secure passwords for their employees, without relying on humans to create their own passwords inevitably get cracked.

Google’s authenticator can protect an account from up to 100% of automated attacks.

(Google)

Both Google and Microsoft’s multi-factor authentication statistics paint a clear picture - setting up a multi-factor authentication pretty much nullifies the chances of getting your account hacked. Since hackers do not have access to your device the authenticator app is installed on, they cannot complete the login process even if they somehow get ahold of your username and password. That being said, you still need to remain vigilant for account takeover fraud, as more sophisticated targeted attacks can, under certain conditions, penetrate this line of defense.

China and Russia are the most-commonly blocked countries in authenticator apps.

(Duo Security)

One of the most important tools in the authentication toolset is the ability to block logins from specific locations and prevent account takeover. If you know that you’ll never travel to a certain country, or don’t have anyone from, say, China or Russia logging into your shared system, you’ll want to put those countries on the automatic block list. This year, 3 million authentications were blocked in this vain, with the United States, India and France also appearing in the top five blocked countries by users of two-factor authenticators.

Hackers probe more than 20 million Microsoft accounts every day.

(Microsoft)

Probing, or trying out passwords from a breached database, is the most common method of account theft. Whether a password is secure or not doesn’t really matter in this case, as hackers usually just purchase a list and try each password on popular services. Microsoft recorded millions of probes each day, confirming that two-factor authentication is pretty much required now for accounts on the most popular services.