Duo: Most 2FA Users Find Security Keys Convenient To Use

A recent study done by Duo Security, the company behind the Duo two-factor authentication (2FA) application as well as other security solutions, revealed that only 28% of people in the United States use 2FA. However, among those who do use 2FA, security keys are the most convenient, followed closely by push notifications (such as Duo Push or the Google Prompt) and authenticator apps.

Duo’s Findings

Duo’s study had several major findings. One was that less than a third (28%) of online American users enable 2FA for their accounts. This number was lower than what Duo expected.


Another discovery was that more than half (54%) use two-factor authentication voluntarily, while the rest have do it at work or are incentivized to enable it for some other reason. Almost half (45%) of the participants said they use 2FA on all the services that offer it.

Two-thirds of those who had enabled security keys and push notifications as an authentication method found them convenient to use, while 75% also found security keys to be "user-friendly." Only 1.8% of the participants said they had used 2FA in the past but no longer use it because they found it inconvenient to use.

Of the total participants, 86% used SMS authentication, not in small part because this is often either the only 2FA solution most services offer or at least the default one. Only 9% used physical security keys, but that was still a higher number than Duo expected.

The National Institute of Standards and Technology (NIST) has deprecated SMS 2FA because it found that it is too easy for attackers to intercept the authentication codes.

The Importance Of Two-Factor Authentication

Ideally, 2FA wouldn’t be needed because our login passwords to various services should suffice, assuming those companies use best practices to encrypt them. This would ensure that attackers can’t decrypt them, especially if the passwords you use aren’t easy to brute-force through a dictionary attack.

However, in the real world, we’ve seen that many companies either don’t encrypt passwords at all or do so poorly, leaving account credentials vulnerable to malicious hackers. This is what makes 2FA almost mandatory, at least for online accounts where you keep important data. If attackers retrieve your password, they won’t be able to login to your account unless they also have your 2FA code.

There are various 2FA methods, but the most secure, and according to Duo’s study, the one most people find the easiest to use, is a Universal 2nd Factor (U2F) security key.

Create a new thread in the News comments forum about this subject
This thread is closed for comments
6 comments
Comment from the forums
    Your comment
  • WyomingKnott
    Brilliant. A convenient, widely-used two-factor authentication device. Two negative comments:
    1) It's a great solution, but I have an unproven prejudice that challenge-response is safer than synchronized key generation.

    2) You really, really have to trust them. Just the idea of attaching an automatic keyboard to my machine brings up images of it ordering ten thousand pairs of sneakers on Amazon or something. And unless I missed something, since they hold the symmetric key and your unique id, someone with access to that data could impersonate your device. They'd still need your password for the resource in question, but a device attached as a keyboard smells like a good place to put a keylogger, a la MantisTek GK2: http://www.tomshardware.com/news/mantistek-gk2-collects-typed-keys,35850.html

    Then again, I'm paranoid. I kept my passwords in a password safe on a Palm Pilot until I broke the thing earlier this year. No internet connection. No way for someone to access the data remotely. Plus Elder Geek cred for carrying a Palm Pilot.
  • merlinq
    Anonymous said:
    Brilliant. A convenient, widely-used two-factor authentication device.


    In response to both 1 and 2:
    FIDO U2F is a challenge-response system.
    And no, the service you connect to does not have a symmetric key, it is based on asymmetric public-private key cryptography, the only record of the private key is held by you, on your YubiKey.
    Every service gets it's own key pair, so no 2 services have any knowledge of even the existence of another service, and the key pair is the only identifying feature, the service has no way of knowing whether you are using a particular key, or multiple keys.
    The Yubikey is programmable, so you can control almost every aspect of it, including what services it has.

    In terms of trust, YubiCo is one of the largest, and longest lived companies in the physical second-factor business, and is a big pusher for open-source security solutions.

    I am speaking, of course, of the physical keys pictured, which their study named as being the most secure, as well as most convenient 2FA system, not about the duo push, or sms based systems, both are, imho, woefully insecure systems.

    I too, am highly paranoid, and use a non-internet capable device for important password storage (though I do use the more convenient keepass for low-security passwords such as forums, that I use often. I have also been using YubiKeys as my 2FA system since before they helped design FIDO U2F, since I was introduced to them in the cryptocurrency world.
  • Olle P
    Don't they mean three factor authentication?
    I've allready experienced one factor (password only), which was inherently bad since it required the password to be unique.
    Two factors (password and user name) is the norm and works fairly well.
    Adding a third factor may improve security but often come in the form of inconveniance.
  • A U2F device does not have a global identifier visible across online services or websites.
  • A U2F device does not have a global identifier within a particular online service or websiteExample 1: If a person loses their U2F device, the finder cannot 'point it at a website' to see if some accounts get listed. The device simply does not know.Example 2: If person A and B share a U2F device and they have each registered their accounts on site X with this device, there isn't any way for the site X to guess that the two accounts share a device based on the U2F protocol alone.
  • A key issued to a particular online service or website can only be exercised by that online service or website.Since a key is essentially a strong identifier this means U2F does not give any signal which allows online services or websites to strongly cross-identify shared users.
  • A user has to activate the U2F device (i.e., 'press the button') before it will issue a key pair (for registration) or sign a challenge.