40+ Multi-Factor Authentication Stats (2024)
The global cybersecurity market is valued at almost $200 billion.
As many as 30% of internet users have fallen victim to a data breach due to a weak password.
As a result, many companies are turning to multi-factor authentication (MFA) to provide additional security.
Below, we’ll dive into the top MFA stats including user and regional data.
Contents
Top MFA Stats
- Over 50% of IT professionals use time-based one-time passwords for MFA.
- Around 1 in 4 companies have turned to MFA after a cybersecurity breach.
- 55% of small businesses are not aware of MFA.
- In the space of a year, Germany increased MFA adoption by over 1.5x.
- 33% of consumers are reluctant to use MFA because it is annoying.
- Nearly 1 in 2 IT and cybersecurity leaders predict that MFA will replace passwords.
Popular MFA Methods
More than half of IT professionals use time-based one-time passwords (HYPR)
The most popular multi-factor authentication method is time-based one-time passwords (TOTPs).
A 2023 survey revealed that nearly 56% of respondents use SMS TOTPs, while over 51% use email TOTPs.
More than one-third of IT professionals use mobile push notifications, while about 30% use email one-time passwords (OTPs) – not time-based – and about 30% use SMS OTPs.
A small number (1.83%) of IT professionals said no MFA protocols were implemented in their organization.
Here’s a breakdown of the most popular forms of MFA:
Multi-Factor Authentication (MFA) Method | Share of Respondents |
SMS TOTPs | 55.96% |
Email TOTPs | 51.38% |
Mobile device push notifications | 36.7% |
Email OTPs (not time-based) | 30.28% |
SMS OTPs (not time-based) | 30.28% |
Email web links | 26.61% |
QR code scanned by mobile device | 26.61% |
SMS web links | 25.69% |
PC push notifications | 21.1% |
Hardware token | 20.18% |
Fast Identity Online (FIDO) security keys | 16.51% |
FIDO mobile authenticator | 13.76% |
Around 7 in 10 companies use usernames and passwords as an authentication method (Cybersecurity Insiders)
The most popular authentication method employed by organizations is a username and password (68%).
This is followed by software tokens like one-time passwords, with half of all companies using them.
Here’s a closer look at the most used authentication methods:
Authentication Method | Respondents Using |
Username and password | 68% |
Software tokens (e.g., one-time password) | 50% |
Hardware tokens (e.g., key fobs, USB tokens, smart cards) | 34% |
Out-of-band authentication (e.g., push notifications, SMS, voice) | 30% |
Biometric authentication | 26% |
Tokenless authentication (e.g., context-based, pattern-based) | 22% |
Social identity credentials (e.g., LinkedIn, Facebook, X) | 18% |
MFA Security Statistics
Increasing two-factor authentication adoption is the top authentication priority for developers (Bitwarden)
Approximately 2 in 5 (41%) developers are prioritizing 2FA adoption over any other authentication area.
Here’s how this compares to other authentication priorities for developers:
- 33% want to increase password security
- 12% want to increase user security
- 12% want to improve user experience during authentication
Only 2% of developers believe that some form of authentication improvement is not a priority.
26% of organizations have implemented MFA following a cyberattack (Cybersecurity Insiders)
After facing a cyberattack, around 1 in 4 companies turn to MFA to strengthen security.
That makes it the third most popular response to cyberattacks alongside increased user education and awareness training (26%).
The most common ways organizations have improved cybersecurity are by conducting regular security audits and vulnerability assessments (38%) and by strengthening password policies (30%).
Other security enhancements made after cyberattacks include:
- Increasing education and awareness (26%)
- Launching monitoring and detection programs (24%)
- Deploying single sign-on solutions (24%)
- Implementing encryption/secure communication protocols (22%)
- Enhancing access controls and user privilege management (20%)
- Detecting and remediating compromised credentials (18%)
- Adopting passwordless authentication methods (10%)
Over half of small business owners have yet to implement MFA (Cyber Readiness Institute)
The use of MFA is recommended by security experts, yet just 46% of small businesses are using it.
Furthermore, only 13% of small business employees need MFA to access their employer’s accounts or applications.
More than half of small businesses are not very aware of MFA (Cyber Readiness Institute)
Cybersecurity awareness is under expected levels in small and medium-sized businesses (SMBs).
Over half (55%) of SMB owners are not “very aware” of MFA and its security benefits.
It’s perhaps unsurprising that 54% of SMBs have not implemented MFA, as 47% of those in charge claim to either not understand it or see its value.
99.9% of automated cyberattacks are blocked by MFA (Microsoft, AAG)
Microsoft claims that more than 300 million fraudulent sign-in attempts are made daily on cloud servers. Meanwhile, Google blocks approximately 100 million phishing emails per day.
However, by implementing MFA, organizations can block up to 99.9% of all automated cyberattacks.
MFA implementation can halve the number of account hacks (ExtremeTech)
According to Google, account hacks drop by 50% when using two-step verification.
MFA by Region
Germany has seen the largest annual increase in MFA volume (Duo Security)
In 2023, no other nation recorded a bigger rise in MFA volume than Germany (52.3%).
Japan saw the next largest increase in MFA volume with a 28% change over the previous year.
Here are the countries with the greatest recent increases in MFA usage:
Nation | Region | 2023 MFA volume increase |
Germany | Europe | 52.3% |
Japan | Asia | 28% |
Brazil | South America | 26.3% |
Philippines | Asia | 24.9% |
Australia | Oceania | 16.9% |
Canada | North America | 14% |
United States | North America | 13.4% |
Singapore | Asia | 6.1% |
United Kingdom | Europe | 4.5% |
India | Asia | 1.7% |
China has seen a decrease of over 25% in annual MFA volume (Duo Security)
As of 2023, China has seen the largest fall in MFA volume, dropping 26.3%.
That is closely followed by Jamaica, with a fall of 23.3%.
Here are the countries with the greatest recent decreases in MFA usage::
Nation | Region | 2023 MFA volume decrease |
China | Asia | 26.3% |
Jamaica | North America | 23.3% |
Hong Kong | Asia | 10.8% |
Hungary | Europe | 10.4% |
Ireland | Europe | 10.3% |
Taiwan | Asia | 8.2% |
Kenya | Africa | 6.8% |
El Salvador | North America | 5.5% |
Netherlands | Europe | 2.5% |
Israel | Asia | 1.4% |
Opinions on MFA
Around 9 in 10 people claim that passwordless MFA provides the top level of security (HYPR)
According to a 2024 HYPR report, 89% of people think that MFA without passwords is the highest level of security achievable.
As a result, 41% of those surveyed intend to adopt some form of passwordless authentication in the next 12 to 36 months.
1 in 3 consumers will not use MFA because it’s annoying (Prove)
The most common reason (33%) for refusing to use MFA is that “it’s annoying”.
Other frequent reasons include:
- MFA is “too complicated” (23%)
- MFA is “too slow” (23%)
- MFA verification often gets lost in spam or is not delivered at all (22%)
Around 1 in 5 people believe MFA is the best way to achieve personal cybersecurity (Keeper Security)
A 2023 survey found that “picking strong passwords” (28%) was voted the top way to improve personal cybersecurity.
Not sharing personal information online (19%) and enabling MFA or 2FA (19%) placed joint-second.
Other popular methods people choose to protect themselves against cybersecurity threats include purchasing anti-virus protection (11%), using a password manager (7%), and keeping their software up to date (7%).
About one-tenth (9%) of respondents said they do not think there is a single best way to achieve personal cybersecurity.
Almost half of IT and cybersecurity leaders expect MFA to replace static passwords (Delinea)
Nearly 1 in 2 (46%) of IT and cybersecurity leaders predict that MFA will take the place of static or reusable passwords in the workplace, according to a 2023 survey.
Of the solutions listed, MFA came in second (46%), with biometrics in the top spot (58%).
Here’s the full list of solutions that are being used to replace static passwords at work:
Password Replacement Method | Proportion of Vote |
Biometrics (facial recognition, fingerprint scans, iris scans, voice activation, etc.) | 58% |
Multi-factor authentication | 46% |
One-time password, magic links, QR codes | 37% |
Security keys | 37% |
Passkeys | 35% |
PIN codes | 34% |
Single sign-on | 30% |
Passphrases | 26% |
Approximately 3 in 4 people say a smartphone is the most convenient MFA method (Cybersecurity Insiders)
When asked for the most convenient method of conducting MFA, 73% of IT professionals agreed on smartphones.
That is over 4x more than the next most popular answer – a built-in authenticator like TouchID or Windows Hello (17%).
The remaining respondents opted for a smart card (5%) and a Universal 2nd Factor (U2F) security card (5%).
Conclusion
Although MFA usage is on the rise, there is evidently plenty of room for further adoption.
For more related data and statistics, take a look at Top Cybersecurity Industry Trends, Cybersecurity Companies & Startups to Watch, and the Top Cybersecurity Newsletters you can subscribe to.