Endpoint

11/7/2017
02:40 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Less Than One-Third of People Use Two-Factor Authentication

The number of 2FA users is still lower than expected, but most adopters started voluntarily, researchers found.

The adoption rate for two-factor authentication (2FA) is even lower than expected: 28%. But on the bright side, those who use it report that they started 2FA voluntarily.

Researchers at Duo Labs hypothesized the majority of the US doesn't use 2FA. Their results were confirmed in a survey designed to measure both adoption of 2FA and users' perceptions of it. More than half of 443 participants had not heard of 2FA prior to taking the survey.

More than half (54%) of the 126 people who use 2FA were voluntary adopters, which took researchers by surprise. They had expected involuntary adopters would be this high, with the assumption that most people began using 2FA because their employers required it. However, results proved them wrong: only 20.8% of respondents learned about 2FA in the workplace.

"Initially, [20.8%] was surprising, but we realized that it seems reasonable," says Kyle Lady, senior R&D software engineer at Duo. "Consumer financial services have offered SMS-based authentication for many years, and services such as Gmail and Facebook occasionally prompt users to enable security features."

Less than half (45%) of people who employ 2FA use it across all the services that offer it. Those who only use 2FA for some apps and services explain their use with three popular answers: they are required to use 2FA, it's easier to enable 2FA on certain websites and apps, or certain websites and apps hold data they want to protect.

While it's easy to understand why people want to safeguard sensitive data, Duo data scientist Olabode Anise says the ease-of-use factor is critical.

"The finding that ease of setup was a major factor in 2FA use underscores the importance of making it as easy as possible for users to get into a desired state of security," he explains.

Most people (85.8%) prefer email or SMS for 2FA. This wasn't a surprise: many websites and applications offering 2FA have SMS as a default option. Researchers hope any future change points to a decline in SMS use, as it has become easier to social-engineer wireless carriers into forwarding text messages to another SIM card, or intercept messages via fake cell towers.

At 9% adoption, 2FA via security key was the least common method, which was understandable as security keys are the youngest 2FA technology. Adoption of authenticator apps increased as well, from 46% in 2010 to 52% in 2017. Hard tokens decreased from 38% to 19%.

Interestingly, 84% of people reported hard tokens were the most trustworthy form of 2FA. However, they did not agree hard tokens were more secure than a username and password.

"We view the distinction between trustworthy and secure as a focus on reliability," says Lady. "Users have great confidence that hard tokens will work, but they recognize that there are risks, such as losing them."

Email-based authentication is perceived as secure because it arrives in users' inboxes, but it's less trustworthy because emails commonly disappear or take a long time to arrive.

2FA via push notification ranked highest for user perception. Users reported it was the least frustrating and required the least concentration, plus instructions were not needed to use it.

Researchers also dug into where people most frequently use different methods of 2FA. Email/SMS is the most popular method in work environments at 29%, followed by authenticator apps (21%), and hard tokens (15%). More specifically, it's also the most common form of 2FA in the financial industry (45%) and in healthcare (31%).

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication
John Fontana, Standards & Identity Analyst, Yubico,  9/19/2018
Turn the NIST Cybersecurity Framework into Reality: 5 Steps
Mukul Kumar & Anupam Sahai, CISO & VP of Cyber Practice and VP Product Management, Cavirin Systems,  9/20/2018
NSS Labs Files Antitrust Suit Against Symantec, CrowdStrike, ESET, AMTSO
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-11763
PUBLISHED: 2018-09-25
In Apache HTTP Server 2.4.17 to 2.4.34, by sending continuous, large SETTINGS frames a client can occupy a connection, server thread and CPU time without any connection timeout coming to effect. This affects only HTTP/2 connections. A possible mitigation is to not enable the h2 protocol.
CVE-2018-14634
PUBLISHED: 2018-09-25
An integer overflow flaw was found in the Linux kernel's create_elf_tables() function. An unprivileged local user with access to SUID (or otherwise privileged) binary could use this flaw to escalate their privileges on the system. Kernel versions 2.6.x, 3.10.x and 4.14.x are believed to be vulnerabl...
CVE-2018-1664
PUBLISHED: 2018-09-25
IBM DataPower Gateway 7.1.0.0 - 7.1.0.23, 7.2.0.0 - 7.2.0.21, 7.5.0.0 - 7.5.0.16, 7.5.1.0 - 7.5.1.15, 7.5.2.0 - 7.5.2.15, and 7.6.0.0 - 7.6.0.8 as well as IBM DataPower Gateway CD 7.7.0.0 - 7.7.1.2 echoing of AMP management interface authorization headers exposes login credentials in browser cache. ...
CVE-2018-1669
PUBLISHED: 2018-09-25
IBM DataPower Gateway 7.1.0.0 - 7.1.0.23, 7.2.0.0 - 7.2.0.21, 7.5.0.0 - 7.5.0.16, 7.5.1.0 - 7.5.1.15, 7.5.2.0 - 7.5.2.15, and 7.6.0.0 - 7.6.0.8 as well as IBM DataPower Gateway CD 7.7.0.0 - 7.7.1.2 are vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote atta...
CVE-2018-1539
PUBLISHED: 2018-09-25
IBM Rational Engineering Lifecycle Manager 5.0 through 5.02 and 6.0 through 6.0.6 could allow remote attackers to bypass authentication via a direct request or forced browsing to a page other than URL intended. IBM X-Force ID: 142561.