A recent study done by Duo Security, the company behind the Duo two-factor authentication (2FA) application as well as other security solutions, revealed that only 28% of people in the United States use 2FA. However, among those who do use 2FA, security keys are the most convenient, followed closely by push notifications (such as Duo Push or the Google Prompt) and authenticator apps.
Duo’s Findings
Duo’s study had several major findings. One was that less than a third (28%) of online American users enable 2FA for their accounts. This number was lower than what Duo expected.
Another discovery was that more than half (54%) use two-factor authentication voluntarily, while the rest have do it at work or are incentivized to enable it for some other reason. Almost half (45%) of the participants said they use 2FA on all the services that offer it.
Two-thirds of those who had enabled security keys and push notifications as an authentication method found them convenient to use, while 75% also found security keys to be "user-friendly." Only 1.8% of the participants said they had used 2FA in the past but no longer use it because they found it inconvenient to use.
Of the total participants, 86% used SMS authentication, not in small part because this is often either the only 2FA solution most services offer or at least the default one. Only 9% used physical security keys, but that was still a higher number than Duo expected.
The National Institute of Standards and Technology (NIST) has deprecated SMS 2FA because it found that it is too easy for attackers to intercept the authentication codes.
The Importance Of Two-Factor Authentication
Ideally, 2FA wouldn’t be needed because our login passwords to various services should suffice, assuming those companies use best practices to encrypt them. This would ensure that attackers can’t decrypt them, especially if the passwords you use aren’t easy to brute-force through a dictionary attack.
However, in the real world, we’ve seen that many companies either don’t encrypt passwords at all or do so poorly, leaving account credentials vulnerable to malicious hackers. This is what makes 2FA almost mandatory, at least for online accounts where you keep important data. If attackers retrieve your password, they won’t be able to login to your account unless they also have your 2FA code.
There are various 2FA methods, but the most secure, and according to Duo’s study, the one most people find the easiest to use, is a Universal 2nd Factor (U2F) security key.