Two-Factor Authentication Statistics: First Line of Defence

Niek has worked at Eftsure for several years and has developed a clear understanding of the cyber threat landscape and the controls Australian businesses put in place to combat these threats.

Two-factor authentication statistics have proven that authentication methods are effective when it comes to combating cyber threats. It’s proven by Google, that two-step authentication via SMS can stop 100% of all automated attacks.

Accounts payable teams who are looking to integrate layers of security such as Multi-Factor Authentication (MFA) are much more protected. MFA is a strong authentication method because it requires users to provide two or more verification factors such as things you know (password or pin), things you have (phone or device) and things you are (fingerprint or face recognition).

By incorporating authentication methods in your accounts payable departments you can decrease the likelihood of phishing or brute force attacks. In this statistics page, we explore the importance of authentication methods.

Author’s Top Picks

  • According to Google, two-step verification through SMS text messages can stop 100% of all automated attacks, 96% of bulk phishing attacks and three-quarters of targeted attacks.
  • 2.5% of active Twitter accounts with at least one 2FA method enabled on average over the reporting period.
  • Implementing 2FA in business can prevent data breaches which can cost a company up to $3 million.
  • According to the DCMS Cyber Security Breaches Survey 2022, only 1 in 3 of organisations have any requirement for two-factor authentication.

Two-factor authentication (2FA) statistics

1. A 2019 report from Microsoft concluded that 2FA works, blocking 99.9% of automated attacks.

For business safety, 2FA is a common requirement of almost every business; enabling employees to be more secure against cyberattacks. 2FA gives individuals at least two proofs of identification, which allows them to access the service by creating an account.

In the post-COVID-19 era, the popularity of cyber attacks is increasing. However, with the adoption of 2FA, companies are making it much harder for hackers to hijack the user’s username and password.

3. According to Google, using two-factor authentication blocks 100% of automated bot hacks.

Two-factor authentication increases the security of organisations by preventing unauthorised access that occurs when users share passwords or get hacked, or when the company experiences a data breach.

4. Research shows that 49% of customers refused to sign up with an online service that had incurred a cyberattack.

Enforcing 2FA will lower the odds of an unauthorised party accessing sensitive information, which can assure CFOs that their assets are safe. Accounts payable team security relies on a robust account security system to help safeguard against the loss of customer information.

5. According to Google, two-step verification through SMS text messages can stop 100% of all automated attacks, 96% of bulk phishing attacks and three-quarters of targeted attacks.

SMS text message based authentication is often the easiest and fastest option for many users. Text-based two-factor authentication provides better security, which improves the user experience.

6. In 2017, a mere 28% of respondents were using 2FA compared to 53% in 2019. That is a solid 25% gain in user security.

As more businesses adopt 2FA and add layers of security, 2FA use increases with time. In the period 2017 to 2019, 2FA use increased by 25%. Text messaging is now the leading cause and the most common method of using 2FA.

7. Google and Harris Poll found that 65% of participants reuse the same password on all or a significant portion of their accounts.

Overusing the same password on different accounts and profiles leaves one susceptible to breaches, which means cyber criminals will gain access to more financial accounts and personal information. Employees must use complex passwords across different accounts using a combination of numbers, letters and special characters.

8. 2.5% of active Twitter accounts with at least one 2FA method enabled on average over the reporting period.

So far, two-factor authentication is only used by a minority of people using Twitter, but there’s a positive growth every year. Twitter has provided a ton of updates and improvements to the system this year, and we expect the percentage to increase.

9. Implementing 2FA in business can prevent data breaches which can cost a company up to $3 million.

Most businesses implement two-factor authentication to make themselves more secure from hackers. However, 2FA increases employees’ productivity and efficiency by ensuring that only employees with the proper ID can access data. Even if a staff member loses their mobile device or has their password stolen, 2FA gives businesses enough time to access an account. By doing so accounts can then be rectified from the issue before it causes too much harm.

10. Hosting company Akamai has found that more than 40% of global log-in attempts are malicious thanks to bot-driven credential stuffing attacks.

Credential stuffing is a type of brute force attack that takes advantage of people’s reluctance to create and use unique passwords across our various accounts (both work and personal use). If the attackers get your credentials, they will try to use them to log in to other websites. This creates serious security risks for businesses and their customers.

11. According to Statista, 56% of UK-based, 48% of US, and 37% of Japanese organisations implemented 2FA as one of the primary technologies responsible for cyber security.

Starting in 2021, businesses in the US, UK, and Japan have adopted a few different cyber security practices to fend off cyber attacks. Within the next few years, every fintech company will include two-factor authentication as a protective measure against hackers. Some businesses have begun adopting other methods of 2FA such as the authentication app, app generated codes, SMS, email & recovery codes.

Industry statistics

12. 38% of financial services respondents believe that advancement in technology has increased information technology security risks.

There is no surprise that the financial sector is most frequently attacked by cybercrime. Cyber criminals take this opportunity to obtain personal information, like credit cards, which allows them to make thousands of dollars. However, CFOs and IT teams that take cyber security seriously can take preventative measures, like implementing 2FA, to defend their business against unauthorised logins, internal threats and external attacks.

13. Research shows that approximately 79% of all reported data breaches were made in the healthcare sector, and the industry was expected to spend over $6 trillion in damages from 2017 to 2020.

The healthcare industry needs better cyber protection to keep patients’ health information and credit card information safe. This can lead to extensive measures such as requiring two-factor authentication or the more advanced multi-factor authentication (MFA) security methods.

14. Among other industries, only the financial sector has reported using hardware tokens, but even this usage is only at 4%.

Hardware authentication tokens are a form of two-factor authentication that is more specific than just the use of your password. Hardly any businesses choose the hardware two-factor token as their preferred way of ensuring the security of their accounts. However, there has been a small percentage of businesses in the financial sector that use this method of authentication.

15. 2FA allows retail companies to authenticate the identities of users accessing their networks through remote desktops and mobile devices.

Using two-factor authentication comes with many benefits including stronger security protections and preventing fraudsters from stealing valuable credentials. Specifically, in the retail industry, two-factor authentication offers better protection against attackers, whether remote or not.

This is one of the many benefits why several businesses have switched to using two-factor authentication. The system authenticates users by using the details and the records of their mobile devices, in combination with their company’s authentication methods.

16. According to the DCMS Cyber Security Breaches Survey 2022, only 1 in 3 of organisations have any requirement for two-factor authentication.

Unfortunately, not all businesses utilise two-factor authentication or any security measure. Of the survey respondents, only a third utilise two-factor authentication meaning that user accounts and online accounts are at risk of cyberattacks. Cyberattacks can cost businesses millions of dollars whilst accessing sensitive data containing thousands of financial accounts.

17. Institutions are also 300 times more likely to encounter a cyberattack.

A data breach or cyber attack on a business may put not only their finances at risk but also their consumers. When banks suffer a cyberattack it directly impacts their consumers immensely. That is why I.T. teams as well as CFOs need to have layers of security including 2FA to safeguard their data.

Multi-factor authentication (MFA) statistics

18. The use of multi-factor authentication (MFA) could prevent as much as 80–90% of cyber-attacks, according to figures cited by the US national security cyber chief.

Multi-factor authentication lessens the risk of security breaches occurring and ensures your data is safe. MFA’s benefits include a secure experience for all users, streamlined management of credentials, MFA’s compatibility with SSO, and scalability for companies. Consequently, MFA can cut cyberattacks by up to 80-90%.

19. According to Google in 2017, hackers steal almost 250,000 web logins each week.

The sophistication of every cyberattack is increasing, becoming more imaginative every time. As a result, more and more businesses are adopting two-factor authentication as a security measure. Businesses that use two-factor authentication and want additional security may want to consider using multi-factor authentication.

20. More than 55% of enterprises use MFA to protect security.

Multi-factor authentication is important, as it makes stealing your personal information much more difficult for criminals. The less of your data is made public, the less likely that a thief will choose you to target. In short, the application employs the use of two or more of the following for accessing accounts or websites. This is accomplished by logging in with something you have (either your phone or USB device) and something you are (your fingerprints or other biometric data).

21. Microsoft states that around 99.9% of identity and data theft can be avoided through MFA.

Melanie Maynes, Product Manager, believes that most cyberattacks can be avoided with the use of Multi-Factor Authentication. With MFA, someone cannot access the account simply by cracking the password.

22. Enabling MFA means a double or triple layer of protection for your data.

Multi-factor authentication makes it harder for hackers to access your accounts, even if they have your password. This can take some time to disable. We highly recommend using an MFA where applicable to protect you from huge losses resulting from a data breach or hack.

23. As stated in the Cyber Signals report, 22% of Azure Active Directory identities utilise “strong” authentication in the form of MFA.

Businesses that institute two-factor authentication should educate their employees on the best way to implement this security standard. One way they can ensure strong authentication is through user verification passwordless. Together with the help of security keys and biometrics, hackers would have an extremely difficult time breaking into your accounts.

24. With MFA implementation, an organisation can improve security and privacy savings through a 50% reduction in the risk of a material breach.

Research from Forrester Consulting has revealed that corporations may enjoy a potential ROI when they invest in Multi-Factor Authentication (MFA). It is not just the one that MFA offers but in a combination with Single Sign-On (SSO) protects unauthorized users from accessing.

25. An organisation using MFA can see improvement in compliance and avoid potential regulatory fines and lawsuits.

Compliance professionals will notice that multi-factor authentication (MFA) is a key security tool in achieving and maintaining compliance with industry regulations, specifically in the healthcare and financial industries. More simply put, MFA is now a baseline, not an addition, to any company’s security.

26. MFA solutions have shown to protect against 100% of all automated bot attacks.

MFA solutions have the benefit of great security strengths in general password authentication and 2FA. Furthermore, authenticator apps provide team members with the advantage of connecting their smartphones and tablets even when they are not connected to the Internet.

27. According to LastPass, 57% of global businesses use MFA.

The study found that some countries use MFA more than others, with Denmark, Netherlands, and Switzerland at the top of the list. Usage rates depend on industry and company size too. Technology and software companies are still leading the way when it comes to two-factor authentication, with more big businesses now starting to follow suit.

Device statistics

28. With 68% of use, mobile push notifications are the most common authentication method.

Push notifications, a fast and efficient security tool, were the most popular type of multi-factor authentication in 2019. The one-time sent code takes up to one minute to verify users making it quick and easy to use.

29. Email (57%) was the second most common authentication method used.

Despite emails coming in second place (57%) for use of two-factor authentication according to a Duo Labs report, businesses need to be aware of risks with email usage due to BEC attacks. BEC attacks involve hackers using email to pretend to be business representatives.

30. SMS is the most common form of 2FA because consumers who own a mobile phone receive text messages 99% of the time.

With its limitations, there are drawbacks to using SMS 2FA. Mobile networks don’t encrypt messages while in transit, making them vulnerable to man in the middle attacks and SIM-swapping. Attackers may steal SMS codes through targeted phishing attacks.

31. As of 2017, Citi reported enrolling a million Asian Pacific customers into their voice authentication program.

Unlike username and password requiring classic logins, voice recognition is extremely secure. This type of technology is beginning to catch on in a big way among financial institutions. Citibank (Citi) uses voice authentication to verify its customers within the first few seconds of a call. Voice authentication helps banks and other businesses offer a more convenient customer experience for their clients, while also reducing the risk of fraud.

32. According to a study about 2FA, TOTP (Time-Based One-Time Passwords) had the highest usability score meaning it's preferred by a wide group of users.

TOTP stands for Time-based One-Time Passwords and is a common form of two-factor authentication (2FA). They are commonly generated passwords that are multi-digit, numbers, letters, and special characters that help enhance security and account security. Along with its other useful features, it’s often quick and more convenient.

Password statistics

33. The most common name to use in a password is Eva, with 7,169,177 instances.

Passwords are the most basic form of authentication, with 2FA taking this process one step further by pairing a password with an extra layer of security. Eva is the most common password used. In the case of cyber-crime, this password does not meet security standards and leaves the business open to fraud.

34. As password reuse statistics show, approximately 76% of millennials recycled their passwords in 2020.

76% of Millennials use weak passwords, most likely because they relied on their memory rather than a password manager. Most of the passwords used are recycled throughout other accounts that involve social media, financial accounts and employee accounts.

35. Hacking attacks using scripts that try to guess usernames and passwords happen every 39 seconds, globally.

These days, cyber criminals don’t even have to be present when conducting a hack. They can execute scripts or bots which do the work for them. Guessing passwords and usernames is a simple way for scammers to gain access to a business’s accounts.

36. 81% of company data breaches are caused by poor passwords.

If a business only has password authentication as a security control, it may be more susceptible to fraud, scams, and hacks. For greater account security, businesses must incorporate 2FA or MFA as an authentication control. All it takes for one data breach to occur is a common password.

37. A terrifying 13% of people use the same password for all accounts and devices.

A surprising amount of passwords are people’s names, their family’s birthday or pet names. Although other measures for security exist that could be favourable such as single sign-on (SSO), password vaults and generated passwords.

38. More than 60% of employees use the same password across multiple works and home applications.

Around 59% of people who should know better than to reuse the same password will use the same password in all situations, according to researchers. This could lead to increased risks of being hacked. Around 91% of people know that, yet they are still prone to bad habits.


Research shows that 2FA adoption is most common among employed people, with 79% of those using 2FA according to a survey conducted by Duo Security. This trend has risen from 28% in 2017 to 79% in 2021. The most common method of authenticating is through SMS, but study shows that there are alternative options that are more effective.

From a 2019 Microsoft report, we see that 2FA has successfully blocked 99.9% of automated attacks. In light of this data, when done correctly, 2FA greatly reduces the chance of an attacker gaining your personal data. The more secure you are about what you know and who you are, the more difficult it will be for a hacker to break into your account.

Two-factor authentication guards against phishing, social engineering, and brute-force password attacks and safeguards login attempts against attackers with weak or stolen credentials. This significantly boosts the security of logins. more specifically, two-factor authentication prevents nearly all automated bot-related attacks. Certain risks still exist depending on which 2FA you authenticate with – it is advised to create a complex password for 2FA.

Even with more security each year, hackers can still bypass two-factor authentication with sophisticated phishing attacks. It’s critical that both individuals and businesses have extra layers of security such as multi-factor authentication.

Two-factor authentication (2FA) is one of the types of multi-factor authentication. There are as many factors of authentication as there are ways to confirm the user’s identity (location, fingerprints, face, security keys), and any security protocol that includes three or more factors is considered MFA. two-factor authentication is the most commonly used subset of multi-factor authentication and is readily available.

Subscribe to our blog

Subscribe to the eftsure blog to receive updates when we post.

The new security standard for business payments

End-to-end B2B payment protection software to mitigate the risk of payment error, fraud and cyber-crime.