Security Experts:

Connect with us

Hi, what are you looking for?


Identity & Access

Why Are Users Ignoring Multi-Factor Authentication?

Two-Factor Authentication

Two-Factor Authentication

News Analysis: Twitter reports that two-factor adoption remains startling low, prompting exasperation and frustration among cybersecurity professionals.

Cybersecurity experts can be a crabby bunch. The debates and arguments last for decades (responsible disclosure, anyone?) and it’s rare to find consensus from all stakeholders on the best risk mitigation decisions.

There’s one very noticeable exception: Multi-factor authentication (MFA) is universally hailed as a leapfrog security measure that drastically reduces online threats like identity theft and online fraud. Security experts routinely recommend that users implement MFA technology where available, stressing the value of additional layers of authentication to thwart malicious hackers.

Still, after a decade of evangelism and multi-millions spent on innovation, overall MFA adoption remains stagnant and the latest numbers from Twitter tell a startling story.

In a new transparency report released this month, the social media giant said that barely 2.3 percent of all its active accounts have enabled at least one method of two-factor authentication between July and December last year.   

Even worse, out of that paltry 2.3 percent of all users who opted to turn on the password-verification feature, 80 percent used the weaker SMS-based authentication, which is known to be susceptible to phishing and SIM-hijacking attacks.

Twitter acknowledged this is a significant industry-wide hiccup. “Overall 2FA adoption remains relatively low, which is an unfortunate challenge across the industry. When accounts do not enable 2FA, we are left relying on less robust mechanisms to help keep Twitter accounts secure.”

“Overall, these numbers illustrate the continued need to encourage broader adoption of 2FA, while also working to improve the ease with which accounts may use 2FA. Making 2FA methods simpler and more user friendly will help to encourage adoption and increase security on Twitter.”

Twitter hailed 2FA as “one of our strongest protections against account compromise,” noting that it helps to mitigate threats from password reuse or data theft where Twitter accounts may be part of a data dump.

Interestingly, Twitter offers several types of two-factor authentication, including the ability to use an authentication app, a hardware security key, or even the text message/SMS option that is risky but still better than nothing.

“While any form of 2FA is much more secure than not having 2FA enabled at all, some forms of 2FA are more secure than others. In general, SMS-based 2FA is the least secure due to its susceptibility to both SIM-hijacking and phishing attacks,” Twitter’s transparency report reads, even as it notes that the majority of its MFA-enabled users are using the SMS method.

[ Read: 6 Ways Attackers Can Bypass SMS 2-Factor Authentication ]

Security professionals reacted to the Twitter numbers with a mixture of alarm and exasperation.  

“Where do you want me to start?” asked one well-connected security professional who is tasked with a large-scale MFA deployment. “The user experience to set up MFA is a disaster. It’s a bigger disaster because everyone does it differently and there is no standard to anything. You can’t use lessons learned from one deployment to the next. It’s just messy.”

Andy Ellis, a seasoned security leader who now serves as operating partner at YL Ventures, acknowledges that there is friction for user-adoption that dates back to horror stories about account lockouts and lost accounts. “If there is no way to recover an account when you lose your phone, it’s just not worth it,” Ellis said. The former Akamai security chief said the absence of a paid relationship between Twitter and its users also adds to the low adoption rate.

Microsoft’s David Weston says there is a disconnect between creating a security mechanism and enabling it as an optional feature.

“Optional security always means low volume,” Weston said in a Twitter discussion, noting that technology providers need to work harder to make the process more transparent and easy for everyone. 

One additional hiccup is the reality that there is a growing number of users on most platforms that don’t actually know their passwords, due to long-lived browser sessions. As one security professional explained, two-factor authentication is only an option for people who remember their password or use a password manager. 

“When product/security teams have to roll a secret that underpins session security or make some other change that will invalidate sessions, they either need to make it backwards compatible or estimate the number of sessions that will be invalidated and the percentage [of users] that likely won’t return because they don’t know their passwords.”

Will Gregorian, head of security at Color Health, said industry-wide MFA adoption remains low because MFA applications and the set-up process can be filled with inconveniences and fears of being permanently locked out of accounts. “The user interface is inconsistent,” Gregorian said, noting that negative patterns are reinforced when a user enables MFA and still receives data leak notices.

The problems go deeper than bad user-experience or account lockout fears. In some cases, online providers at some financial services even roll out custom two-factor technology, bypassing industry standards and adding even more friction to the ecosystem.

Related: SIM Swapping Blamed for Hacking of Twitter CEO’s Account

Related: Twitter Enables Use of Security Keys as Sole Two-Factor Authentication Method

Related: 6 Ways Attackers Can Bypass SMS 2-Factor Authentication


Related: Attackers Circumvent Two Factor Authentication Protections to Hack Reddit

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Identity & Access

Strata Identity has raised $26 million in a Series B funding round led by Telstra Ventures, with additional investment from Forgepoint Capital, Innovating Capital,...