Multi-Factor Authentication Spending Study – Yubico

Despite increased spend, research shows gaps in MFA best practices with only 22% perceiving security of SMS-based authentication as an issue

PALO ALTO, CA and STOCKHOLM, SWEDEN – April 27, 2021 –  Yubico, the leading provider of hardware authentication security keys, today announced the results of a new research study, Work-from-Home Policies Driving MFA Adoption, But Still Work to be Done, conducted in partnership with 451 Research. The report analyzes preferences and adoption trends with respect to multi-factor authentication (MFA) in the enterprise and ultimately reveals that while MFA adoption and spending is on the rise, organizations are still unclear on best practices and methodologies.

The findings show that MFA adoption and spending has increased within the enterprise due to a confluence of several factors: the growing recognition that stolen credentials and phishing attacks are at the root of most security breaches; the rise of work-from-home (WFH) policies due to the COVID-19 pandemic; and the adoption of modern authentication standards such as Fast Identity Online (FIDO) U2F, FIDO2 and WebAuthn that underpin new advances in two-factor (2FA) and passwordless authentication. 

However, the research also highlights a variety of barriers to more widespread MFA usage such as inconvenience, complexity, and cost. Furthermore, many enterprises remain largely unaware of the security defects found within more common mobile MFA form factors such as SMS-based authentication, which has been widely deprecated for years.

“The pandemic and the move to cloud-based office applications has been a turning point for enterprises to implement and modernize their multi-factor authentication,” said Stina Ehrensvärd, CEO and Founder, Yubico. “What this research shows is that while there is an appetite for strong security with an elegant user experience, many companies stick with less effective old habits and technologies. A user deployment study by Google was the first to highlight the remarkable benefits and return on investment of YubiKeys and security keys. This new research is a great further validation of the authentication technology Yubico invented and the standards work we have spearheaded.”

Key findings from the survey include:

  • MFA spending trends are encouraging with nearly three out of four respondents (74%) planning to increase spending on MFA. It was the top security technology to be adopted due to COVID-19 and the subsequent migration to WFH (49%).
  • Over half (53%) of all respondents have experienced a security incident or breach in the past year and MFA was among the top three security technologies adopted as a response to a security breach.
  • Increased security is the number one reason enterprises are adopting MFA, with 57% of respondents reporting as much. User experience (43%), complexity (41%), and cost (36%) are still the main obstacles to MFA adoption, which comes as no surprise. These challenges have long been common complaints about MFA, even though modern authentication technologies such as biometrics and security keys have been proven to provide better security and usability than legacy MFA technologies.
  • Despite the increase in security vulnerabilities for mobile and SMS-based MFA, mobile OTP authenticators (58%), mobile push-based MFA (48%), and SMS-based MFA (41%) are among the most popular MFA form factors other than passwords. This reveals that enterprises may still perceive mobile MFA as being more user-friendly and accessible than other MFA options and are prioritizing user experience over security benefits despite reporting otherwise. 
  • Many organizations still rely heavily on SMS-based authentication, but only 22% perceive security of this form factor as an issue despite growing evidence of breaches and attacks exploiting mobile or SMS-based authentication methods.
  • Enterprises are stopping at privileged users when it comes to usage of MFA but time and time again breaches are showing that lower-level employees can leave an organization vulnerable by being a ‘way in’ for adversaries. The research shows that privileged users and third parties (contractors, consultants, partners) are the most likely to use MFA, while end customers are the least likely. 
  • FIDO2 and passwordless authentication are gaining momentum as ways to address traditional MFA pain points as more than half of the organizations surveyed (61%) have either deployed or have passwordless authentication in pilot (34% of respondents have already deployed passwordless technology, 27% in pilot).

Download the complete report here, and for a deep dive into the findings from this report, sign up for the upcoming Yubico webinar, Remote Work During COVID-19 Drives MFA Adoption, on May 18 at 10 am PT.

About the Study

In November 2020, 451 Research conducted an online survey of organizations that have implemented two-factor or multi-factor authentication across North America. The survey targeted 200 executive management, senior IT management, mid-level management, senior security and risk staff, and senior risk staff in verticals such as technology, financial services, education, professional services, retail and the government sector. In addition, the survey captured data from respondents representing companies with 1-10,000+ full-time employees.

About 451 Research

451 Research is a leading information technology research and advisory company focusing on technology innovation and market disruption. More than 100 analysts and consultants provide essential insight to more than 1,000 client organizations globally through a combination of syndicated research and data, advisory and go-to-market services, and live events. Founded in 2000, 451 Research is a part of S&P Global Market Intelligence.

About Yubico

Yubico sets new global standards for simple and secure access to computers, mobile devices, servers, and internet accounts. The company’s core invention, the YubiKey, delivers strong hardware protection, with a simple touch, across any number of IT systems and online services. The YubiHSM, Yubico’s ultra-portable hardware security module, protects sensitive data stored in servers. Yubico is a leading contributor to the FIDO2, WebAuthn, and FIDO Universal 2nd Factor open authentication standards, and the company’s technology is deployed and loved by 9 of the top 10 internet brands and by millions of users in 160 countries. Founded in 2007, Yubico is privately held, with offices in Sweden, UK, Germany, USA, Australia, and Singapore. For more information: www.yubico.com.

Media Contact: 

Zander Wharton 

Public Relations Manager, Yubico

zander.wharton@yubico.com

203-733-2815

Share this article:


  • Goodbye master passwords: Dashlane and Yubico enhance credential vault encryption and login with YubiKeysAt Authenticate 2025 this week, the world’s leading experts on modern authentication and securing digital identities gathered, to discuss the future of secure authentication and achieving usable security across the account lifecycle. The message was clear: the future of phishing-resistant authentication is using passkeys for encryption, and the gold standard is device-bound passkeys – YubiKeys. […]Read morecredential vault encryptioncredential vault loginDashlanepartnerpasskey encryptionPRF
  • Piloting Europe’s future ID: Passkeys securing digital walletsOver the last several years, passkeys have become ubiquitous. They are available on every mobile platform, in every leading browser, as part of all major enterprise IAM solutions, and in most major cloud services. Until wwWallet came along, the only place where passkeys hadn’t yet made an impact is in the rapidly developing world of […]Read moredigital identity walletspasskeysSIROSwwWallet
  • We’re excited for what’s to come – meet us in-person to find out whyIt’s been a busy year for our team, filled with exciting company and product updates aimed at better serving our customers and helping them achieve cyber resilience as AI-driven phishing threats continue evolving globally. Between industry award recognitions and key new executive leadership hires to lead Yubico to its next stage of growth and a […]Read more
  • FIPS certified vs. FIPS compliant: What’s the real difference?“Is your MFA solution FIPS compliant, or is it certified?”  This is a question we hear a lot, and for good reason. In industries where security and compliance are critical (especially in government contracts), understanding the difference between FIPS certified and FIPS compliant isn’t just semantics – it can mean the difference between meeting requirements […]Read moreFIPSNIST