A quarter of the population in the United States and the United Kingdom who had not encountered two-factor authentication (2FA) two years ago have now used the technology at least once in 2021, according to a biennial study conducted by Cisco System's Duo Labs.
The census-representative survey found more than three-quarters of the population (79%) used two-factor authentication in 2021, and 72% used the technology regularly. Companies have driven the gains, with 79% of employed workers regularly using 2FA technology and only 60% of unemployed people doing the same.
The move to remote work during the pandemic, remote workers' reliance on credentials, and consumers' adoption of more services drove the strong growth in two-factor authentication, says Wolfgang Goerlich, an advisory chief information security officer for Cisco.
"E-commerce sites and social media sites have done a great job making 2FA easy to use," he says. "We are going to continue to see an increase, [because] if you combine hybrid work and e-commerce with the drive toward moving away from passwords, then we get a pretty compelling [case to] adopt more and more of these factors."
Driven by increasing attacks utilizing stolen or reused credentials, two-factor authentication has become a required technology for companies and consumers. In 2017, less than half of people had heard of two-factor authentication and only 28% had used the technology. Now, almost everyone has heard of the technology and 79% have used it at least once, according to the 2021 report.
Corporate policy and government regulation have fueled much of the adoption, with the United Kingdom and its more stringent regulatory framework leading to higher adoption rates: 77% of UK citizens have adopted two-factor authentication, while only 67% of US citizens regularly use the technology.
"Country difference may be explained by discordant regulatory standards for 2FA adoption," researchers state in the report. "Furthermore, this survey finds that UK respondents more likely to agree with the statement, 'I worry that hackers or other malicious actors could gain access to my accounts.'"
Unsurprisingly, financial accounts topped the list of most important assets to secure using two-factor authentication, with 93% of users ranking financial services as the top security priority. Email accounts came in second, with 58% of users ranking it as an important account to secure, while social media and health accounts effectively tied at about 40%.
SMS texts continued to be the most-used type of two-factor authentication, with 85% of people using that 2FA technology. Verification emails are the second most common type at 74%, while passcodes issued by mobile authentication apps came in third with 44%.
Companies need to educate consumers more on the pitfalls of SMS text messages as a second factor, Goerlich says. More than half of people surveyed would choose SMS as the second factor for a new account, while less than 10% would choose a mobile passcode application and 7% would use a push notification. SMS tied with security keys, such as YubiKey and other technology, for highest perceived security and topped the list for usability.
"There is a clear mismatch between what the survey respondents are using in terms of security and what researchers have found and identified in terms of security," he says. "It makes sense that SMS is rated high in usability, and there is a really strong familiarity with the factor, but a lot of issues have been identified by researchers."
Attempts to educate people on security problems with SMS should be careful, however, not to dissuade them from using two-factor authentication at all, Goerlich stressed.
Use of 2FA across applications continues to lag. Less than a third of all respondents used two-factor authentication for all applications, while 38% used it for some applications.
"We have made significant progress in awareness and significant progress in adoption, so future growth is going to be in a couple of different areas," he says. "It is going to be deepening the number of applications that are being protected — broadening and depending the application set that we are protecting. Second area will be moving to stronger factors."
The company found that almost a third of respondents were using password managers on a regular basis, and 42% of people are using some sort of biometric for some applications.