Most Americans have never heard of multi-factor authentication

Only 28 percent of Americans use two-factor authentication.
Security key in action as a second factor of identity (Yubico)

Most Americans have never heard of two-factor authentication, even as the world’s biggest tech companies are pushing increasingly strong versions of multi-factor authentication in hopes of solving a vast array of cybersecurity problems.

According to a new survey from Duo Security, only 28 percent of Americans use two-factor authentication and over 56 percent never heard of the technology before the survey. Just over half (54 percent) of Americans using two-factor authentication began doing so voluntarily. About 45 percent of respondents began because they were forced or incentivized to do so.

There may be some good news hidden in these numbers. Of the people who have turned on two-factor authentication, only about 1 percent ended up turning it off. Every one of them cited inconvenience as the reason.

Two-factor authentication is a way for people to prove their identity in two ways using something they know (like a password) and something they have (like their phone or a security key). It’s a concept that’s been around for decades, but Google became the first major tech company to offer 2FA in response Gmail accounts being breached by Chinese hackers. Since then, it’s spread widely around the tech world. Security experts consider it one of the most important cybersecurity tools the public has in their fight against hackers.


SMS is by far the most popular method of two-factor authentication (90 percent) despite the U.S. government and cybersecurity experts warning that it’s insecure, impossible to verify and easy to intercept. Emails, which aren’t much better than SMS in terms of security, follow closely behind.

“While a password coupled with SMS has a much higher level of protection relative to passwords alone, it doesn’t have the strength of device authentication mechanisms inherent in the other authenticators allowable in NIST draft SP 800-63-3,” Paul Grassi, NIST’s senior standards and technology adviser, explained last year. “It’s not just the vulnerability of someone stealing your phone, it’s about the SMS that’s sent to the user being read by a malicious actor without getting her or his grubby paws on your phone.”

Authenticator apps such as Google Authenticator are a significant step up in security because they encrypt the data and rotate it at regular intervals. About half of 2FA users are utilizing this type of app.

Only nine percent of people using 2FA are using security keys, such as a Yubikey, that experts say cannot be spoofed, phished, and surveilled in the same way that most other popular options can. Companies like Yubico recently reported significant sales growth, but keys remain the least popular authentication method by far.

Latest Podcasts