Written By: Security.org Team | Published: August 27, 2020

Protecting your online accounts with a password is enough security…right? Wrong. Millions of Americans fall victim to identity theft each year, often a result of hackers stealing usernames and passwords. That’s why consumers are increasingly turning to two-factor authentication (2FA) or multi-factor authentication to prevent cybercrime.

What does this mean, and what are best practices? For starters, if you’ve ever used a fingerprint to open your phone or confirmed your identity by entering a code texted to you as part of logging into a site, you’ve engaged in a second form of authentication. We’ll go over all of that and more in this guide to authentication.

What Is Authentication?

Let’s get back to basics with a quick definition of authentication and what that actually looks like in the online world.


Authentication, simply put, is the validation of a user’s identity online, but it can look a few different ways depending on the account’s capabilities and the user’s preferences.

Types of Authentication

When it comes to authentication, it usually appears in one of the following buckets:

Password only

Most people secure accounts with usernames and passwords only, making this one of the most common methods. However, suppose someone gets or guesses your username and password. In that case, it’s important that they are unable to gain access by implementing some advanced authentication methods, namely two or multi-factor authentication.

Two-factor authentication (2FA)

Two-factor authentication typically comes in the form of a passcode sent to a mobile device, phone number, or email, sometimes referred to as a one-time PIN (OTP).

Multi-factor authentication (MFA)

Multi-factor authentication takes things a step further and comes in many forms, such as biometrics like fingerprint or facial recognition1, security questions, the CVV on the user’s credit card, or even physical devices like a USB token or card reader2. However, biometric authentication is perhaps the most common type of MFA that you’ll see.

Multi-Factor Authentication Examples

Even though you may or may not have heard of authentication before reading this guide, it’s super common and available in various online accounts. Here are a few common examples:

Financial accounts

Given the sensitivity of the information stored, many banks and financial institutions require two-factor authentication to access users’ online accounts. This usually means receiving a text, e-mail, or phone call confirming your identity after entering a password.

Face and Touch ID

Anyone with a recent iPhone or iPad will know Face ID or Touch ID, a form of multi-factor authentication.

Ring Doorbell Camera

After multiple hackings of Ring cameras’ live feeds, Ring added two-factor authentication to the Ring— Always Home app, requiring users to enter passcodes in addition to their usernames and passwords3. Many security camera brands have followed suit, but a large chunk of brands still rely on passwords only for securing live feeds and recordings.

If you’re not sure if an online account has advanced authentication options, go into settings and then look for a section on privacy; you will be able to enable it there, most likely.

Authentication Pros and Cons

Authentication protects users' accounts from unauthorized access. However, each type of authentication has its unique benefits – and cons, for that matter.

Password only

The easiest and quickest way to access an account is with a regular password; just type it in and enter your account.
However, not all passwords are stored in an encrypted vault, which could raise a security risk4. In addition, if a hacker gets a user’s password through a phishing attempt, they can access the account if there’s no other authentication implemented.

Two-factor authentication

2FA blocks many types of cyberattacks, from phishing and spear phishing to brute force and dictionary attacks.
That being said, it makes logging in take a bit longer and it depends on a third-party device5, so if that device malfunctions, you may have trouble accessing your own account. Plus, if your device is stolen, access might (literally) fall into the wrong hands.

Multi-factor authentication

The benefits of MFA are fairly obvious; with fingerprint or face ID, you never have to worry about not having a device, and they’re hard if not impossible to forge. They’re also quick; and, you don’t have to worry about remembering a password6.

On the other hand, biometrics can’t be changed if the device or account is compromised, and they tend to be available only on pricier devices like iPhones. Also, some people may object to having large tech companies store their fingerprints or retina scans, so for the privacy-minded, MFA may be somewhat of a nightmare. Reliability is another concern; biometric scans are fairly new technology to consumer products, so it’s not uncommon for some devices to mis-authenticate a log-in attempt.

Authentication Best Practices

While the majority of the best authentication practices lie with the developers themselves, there are a few ways that users like you can use it to your advantage:

  1. No plaintext: No matter how convenient it may be, never store your passwords in plain text or email or text them to somebody; instead, use an encrypted password manager to save and share your passwords.
  2. Password hygiene: Jumping off of that, make sure each online account has its own unique, complicated, and long password7; no using your address for all of your accounts or god forbid, the word “password” itself!
  3. Check your privilege: And no, we’re not talking about social justice. When creating privileges for accounts or documents, use the least amount of privilege as you need, like being a contributor rather than an administrator. That way, if your account is hacked, the hacker won’t be able to do as much damage to your files.
  4. Default to deny: Lastly, set up your Google Drive or any shared cloud storage space to “default to deny”, meaning that you have to grant people access for them to view and change your files8. Think of it as “guilty until proven innocent” but for accessing things like documents and spreadsheets.

Authentication Statistics

Authentication may not be the latest dance craze, but it’s definitely popular and growing more so year after year.

Industry Usage

Let’s talk about the big picture. As per our last checking, the Advanced Authentication Market in the U.S. was valued at $9.75 billion; in six years, that number is expected to balloon up to $20.73 billion. North America has led the global multi-factor authentication market since at least 2018.

Why exactly is the authentication market growing as fast as weeds in your garden? A few reasons, including:

  • Increased financial fraud
  • Cyberattacks
  • More usage of digital payment apps through smartphones and other wireless devices
  • More investments in cloud technologies.

Consumer Usage

That’s it for the authentication industry statistics, but what about consumers themselves? Through our research, we discovered some interesting statistics:

  • 28 percent of respondents have used 2FA, 54 percent of whom began using it voluntarily as opposed to mandatorily from a job.
  • Two-thirds of people who had used security keys or push notifications found it quick and convenient.
  • Out of the 1.8 percent of the survey’s respondents who had used 2FA in the past and then stopped, seven out of the eight respondents said the driving factor was inconvenience.
  • Older people were less likely than younger people to use 2FA; students, employed people, and men were the most likely groups to use 2FA.
  • 86 percent of the respondents used 2FA through email or SMS, 52 percent used it through an authenticator app and 39 percent used a phone call10.
  • The use of MFA by employees in businesses worldwide skyrocketed in 2019 to 57 percent; nearly 400 percent higher than the year prior. Use of MFA in businesses has grown steadily since then.
  • 95 percent of the employees who used MFA used a software-based solution like an app, while four percent used a hardware-based solution and only one percent used biometrics.
  • Out of the businesses where employees used MFA, 33 percent worked in education, 32 percent worked in the banking/ finance industry, 31 percent worked in telecommunications and 27 percent each worked in tech/software or the government.
  • MFA is used more commonly at large businesses compared to small businesses.
  • The most popular MFA options among businesses were LastPass Authenticator at 39 percent, Duo Security at 31 percent, and Google Authenticator at 24 percent11.
  • 59 percent of executives say that they plan to implement or expand MFA within three to six months, while another 26 said they plan to implement or expand it in the next year12.
  • According to the Pew Research Center, 52 percent of online adults have used 2FA on their accounts, which accounts for 59 percent of online adults ages 30 to 49, 53 percent of online adults ages 18 to 29, 49 percent of online adults ages 50 to 64 and 38 percent of online adults 65 and older.

While different studies and surveys have produced slightly different numbers as to the consumer usage of authentication, one thing that everyone can agree on is that authentication isn’t going anywhere. In fact, it’s only getting more popular as time goes on.


Authentication is a quick and easy way that you can majorly up your account security. Considering that, according to our recent survey on identity theft, almost half of Americans have experienced credit card fraud, securing your accounts has never been so important. As a means of avoiding identity theft and preventing unauthorized access to your online accounts, robust authentication is the way of the future.

Most accounts are only protected by a single password, but this measure alone won’t protect users from identity theft and cybercrimes. Too many Americans fall victim to these crimes because hackers can get most usernames and passwords easily. To mitigate risk, it’s crucial to adopt 2FA or MFA. These keep people who get your username and password out of your accounts.

2FA and MFA can be in the form of codes sent to your mobile device, biometric verification (fingerprints and facial recognition), security questions, and more. Whatever method you choose, just make sure you don’t opt for the most basic form: The password-only method. Using authentication best practices will help you keep control of your personal information and data.


How does 2 factor authentication provide protection against identity theft?

Two-factor authentication adds an additional layer of protection to user’s accounts online. It requires a person to provide two forms of identification, like a password and a unique passcode that regenerates on your phone every few minutes. This protects against identity theft because it prevents unauthorized access to accounts that can be used to steal identities.

What is the strongest authentication factor?

Biometric multi-factor authentication is considered one of the strongest authentication factors.

Can hackers get around 2 factor authentication?

Yes, knowledgeable hackers can get around two-factor authentications without having any login credentials.

What is the difference between 2 factor and multifactor authentication?

Two-factor authentication requires two types of authentication, while multi-factor authentication requires two or more types of authentication.

What is the least secure authentication method?

The least secure authentication method is the password-only method. Since only a username and password are required, it makes an account and user’s information incredibly vulnerable.


  1. https://www.okta.com/identity-101/authentication-vs-authorization/
  2. https://www.imperva.com/learn/application-security/2fa-two-factor-authentication/
  3. https://support.ring.com/hc/en-gb/articles/360024511592-Two-factor-security-authentication-with-Ring-products
  4. https://habiletechnologies.com/blog/pros-cons-using-authentication/
  5. https://www.imperva.com/learn/application-security/2fa-two-factor-authentication/
  6. https://www.coursehero.com/file/66097704/Abie-Different-Ways-to-Authenticate-Users-with-the-Prospdf/
  7. https://cloud.google.com/blog/products/gcp/12-best-practices-for-user-account
  8. https://its.unl.edu/bestpractices/authentication
  9. https://www.mordorintelligence.com/industry-reports/advanced-authentication-market
  10. https://duo.com/assets/ebooks/state-of-the-auth.pdf
  11. https://lp-cdn.lastpass.com/lporcamedia/document-library/lastpass/pdf/en/LMI0828a-IAM-LastPass-State-of-the-Password-Report.pdf
  12. https://www.microsoft.com/security/blog/2020/03/05/it-executives-prioritize-multi-factor-authentication-2020/

Logo of Security.org