The 2019 State of the Auth Report: Has 2FA Hit Mainstream Yet?

Duo Labs just released its second State of the Auth report to take the pulse of people’s understanding of security and 2FA in America and the U.K.

Stealing user credentials remains one of the easiest and most vulnerable areas for hackers to gain access into secure systems. Luckily, two-factor authentication or 2FA (also known as MFA or multi-factor authentication) is one of the easiest security methods available to protect user credentials from being stolen. Instead of a single login gaining automatic trust into a network, 2FA requires multiple methods of verification prior to granting access. Methods can include push notifications from an app like Duo Mobile, SMS texts, email and biometrics. In addition, admins can set policies that control access and establish device trust. But has 2FA hit the mainstream yet?

What A Difference Two Years Makes

The Study Results Show That 2FA Is Catching On

Awareness in 2FA shot up from 44% of respondents in 2017 to 77% in 2019. That’s a 33% gain over a two year period.

More Users Are Adopting 2FA Security for Protection



In 2017, a mere 28% of respondents were using 2FA compared to 53% in 2019. That is a solid 25% gain in user security.

SMS Text Message Is the Most Used Authentication Method



In both 2017 and 2019 SMS authentication for 2FA dominated, likely because it is the most offered option or adoption is required by organizations (although it is not the most secure).

The Fastest and Most Secure 2FA Authentication Method Is U2F



A 2FA user that uses SMS as their second factor could save time by switching to other, more secure, auth methods.

Push saves a user 13 minutes annually over SMS

U2F saves a user 18.2 minutes annually over SMS

Of All Accounts, Securing Banking Accounts Is The Most Important



The participants have their money on their mind, and consider financial accounts the most important to secure by 85%.

How Concerned Are Users of Account Security?



We asked respondents whether they agree with the statement: “I worry about malicious actors gaining access to my accounts.”

39% of US respondents strongly agree

25% of UK respondents strongly agree

We also asked respondents whether they agree with the statement “I believe that my accounts are generally secure.”

74% of US respondents somewhat agree, agree or strongly agree

78% of UK respondents somewhat agree, agree or strongly agree

Key Takeaways

Adoption of 2FA security is on the rise, which is very good news. This is largely driven by organizations deploying 2FA technology within their networks, but it's also due to 2FA being seen “in the wild” in folks’ personal lives through apps such as email, social media, shopping and financial services accounts, like banks and brokerage firms.

This also means that since most folks now know what 2FA is, we’ve also seen a marked gain in the actual adoption of 2FA. Usage for 2FA swelled from 28% in 2017 to 53% in 2019. There are a few big reasons for this. Along with 2FA showing up more in our personal applications, organizations are putting 2FA into their user workflows for access to corporate data. Corporations are constantly improving the user interaction and design for security with “end user experience” in mind to make these barriers to access easier. The user interface bar has been raised by Apple, Google and others incorporating 2FA technology into their platforms, which incentivizes other enterprises to keep up the security pace. User’s have high expectations of simplicity when security creates a new barrier to access and this will continue to be “more” and not “less.”



It’s Also Not Surprising That 2FA Usage Tends to Skew to Younger Folks.

2FA Users Skew Younger



According to our survey results, the younger the respondent, the more likely they are to use 2FA, with the 18 to 24 age group leading the charge.

2FA Use by Age











Younger users are tech savvy and more in tune with the knowledge that “credential exposure” or “credential hijacking” is a real threat. They’ve been exposed to hacks and have been warned of credential stealing since university. By contrast, older users have likely been using the username/password combo with a false sense of security for years – using just a username and password has been proven to be insecure.



Turns Out Email Is the Most Important Account to Protect

There is a lot to love about these usage and awareness stats, but there is one misconception here that I would like to highlight. Most users believe that they only need to protect “important” applications or accounts like bank accounts, brokerage accounts — basically financial accounts. Now, this makes sense on the surface to most of us since hey, that’s our money and we’re led to believe that that’s what attackers are after in most cases. But this belies the sophistication of these attackers.

In many cases these bad folk can monetize your data from other accounts — and your data can sometimes be just as valuable as your actual money. Attackers are sneaky, and where there’s a will there’s a way.



Why Email Is the Most Important Account to Protect



A good example, let’s say you have 2FA on your bank account and it’s using, say, an SMS-based authentication, since SMS is the most common method of authentication (SMS is not the most secure. Don’t believe me? Ask NIST. But it is better than nothing). Most of these systems have a mechanism for when/if you lose your 2FA device or just want to enroll a second device, and most of the time that is tied to your email address. So if your email address password is compromised, that could be further reaching. Think of 2FA like a flu shot. It’s only truly effective if everyone (or nearly everyone) gets it. This is why it’s so important to use 2FA on all of your accounts.

It’s also important to use a 2FA solution that’s easy to use, because there is a little 2FA fatigue as well. 2FA requires you to do “one more thing” before you log in and this can turn users off if it is too hard to use.



Frictionless vs. Secure



Users just want to get access to their “stuff” in a frictionless way, and we have to face it, 2FA adds a little friction. SMS-based 2FA seems easy, but requires the user to remember or copy-paste that six-digit code. This forces the user way outside of their access flow. The Duo “green ✓ check, red X” is a familiar paradigm and while it’s still technically in the flow, one push or biometric is way easier than “go to texts > copy-paste > go back to app.”

America vs. United Kingdom, 2FA Awareness is the Same

It’s also worth mentioning that 2FA awareness is universal. We didn’t find a marked difference in awareness and/or implementation between different countries, in our case the US and the UK. This is a very positive statistic as it shows that operating a multinational organization is consistent (think GDPR awareness in Europe as well as the US).

The survey shows folks are embracing 2FA as part of their daily lives with help from their technology partners (Apple, Microsoft, Duo/Cisco) and their favorite partners (folks like Ebay, Facebook and others who have enabled or required 2FA). I certainly see this continuing to get better.



2FA Hasn’t Reached the Tipping Point Just Yet

It’s taken us quite a while to get here and it will continue to be a journey. We’ve been using passwords since the 60’s and using them to protect online accounts since the 90’s — it’s been a slog. Imagine how the world would be if Microsoft had built 2FA into Windows 95, or Windows 98 or heck, even Windows 7. We probably wouldn’t be talking about this. But they didn’t, and I can't really blame them. Few saw this coming back then, so today we’re left working with the tools we have… now.

Is the Future Passwordless?

It’s also worth mentioning that there is a vigorous, focused effort on killing the password for good. I for one cannot wait for this to hit the mainstream. This would be a complete overhaul of the user experience for logins and accessing apps.

To get a by-the-numbers look at the State of the Auth data, check out our infographic. And for the full research paper, download the 2019 State of the Auth report.

















