User Authentication

Multi-Factor Authentication (MFA) Statistics You Need To Know In 2024

A compilation of the latest and relevant statistics regarding multi-factor authentication, its importance, and the wider threat landscape.

Last updated on Dec 10, 2024
Mirren McDade Written by Mirren McDade
Laura Iannini Technical review by Laura Iannini
Multi-Factor Authentication (MFA) Statistics You Need To Know In 2023

Multi-Factor Authentication (MFA) is an approach to authenticating user identity that requires at least one method of verification. It is, in essence, a security measure that acts as an extra layer of defense, preventing illegitimate users from accessing sensitive resources. MFA requires users to confirm their identity, proving that they are who they say they are. MFA is an important tool in securing user identities and is often regarded as a critical component of any company’s identity and access management policy.

Once a user has entered their credentials, MFA solutions may request for the user to complete additional authentication steps before they are granted access. Common authentication factors (ways of authenticating identity) include one-time passcodes delivered by an authenticator app, answering a security question, or completing a biometric scan using facial recognition or a fingerprint.

While an attacker may be able to guess (through social engineering or brute force) or steal credentials, it is significantly more difficult to steal and input biometric data or OTPs from an app. This prevents attackers from accessing a user’s account. MFA significantly enhances security and can help prevent account takeover incidents, breaches, data losses, and other account threats. 

Stolen credentials are frequently listed a main cause of security and account breaches. MFA, password management, and identity and access management tools can all be used to effectively secure your accounts.

Multi-factor authentication and two-factor authentication are part of a wider approach to cybersecurity known as zero trust. This is a security framework that uses a “trust no one” philosophy. It requires all network users, internal and external, to be authenticated and authorized continuously, rather than giving the benefit of the doubt. MFA and 2FA are key tools for organizations looking to implement zero trust security.

We’ve compiled some recent statistics from a range of major and influential cybersecurity sources to empower you to make smarter decisions regarding MFA and your organization.

Multi-Factor Authentication Statistics

MFA Adoption 

  • According to JumpCloud, 87% of companies with over 10,000 employees use MFA, and SMBs trended towards an MFA adoption rate of around 34% or less. 
  • According to Statista, at least 98% of organizations worldwide support multiple forms of authentication, with SMS TOTPs supported by about 56% of survey respondents, and email TOTPs supported by 51%. 
  • Mordor Intelligence estimates the MFA market size as of 2024 as $18.12 billion. 
  • The Cyber Readiness Institute 2024 Global Multifactor Authentication (MFA) Survey found that there is a large gap in MFA usage between American SMBs and SMBs in other regions. 89% of US-based small to medium-sized businesses do implement MFA, however, this number drops to just 35% for SMBs globally. 
  • 95% of US SMBs require the use of MFA by any customers or suppliers that connect to their systems, but only 5% of global SMBs require this. 
  • Okta found that highly regulated industries such as the government and education sectors saw a significant increase in MFA adoption rate, over 5% in the course of a year. (Okta)

For those who have adopted MFA, what has the impact been and what does it look like?

  • The same report from Okta found that other than standard passwords (95% usage), the most popular authentication factor is push notifications (29%), followed by SMS (17%) and soft tokens (14%). 
  • The technology industry is still #1 in MFA adoption with a rate of 88%. The least likely industries to use MFA are transportation / warehousing (at 38%) and retail (at 43%), but overall adoption rates are up from previous years. Okta’s report also found that 91% of admins use MFA compared to 66% of non-admin end users.

It can be hard to judge the effectiveness of MFA in comparison with other security tools. Google has announced that mandatory MFA will be rolling out to all Google Cloud users by the end of 2025.

  • According to the M-Trends 2024 report by Google’s Mandiant threat intelligence team, threat actors are evolving new techniques such as Adversary-in-the-Middle (AiTM) attacks in attempts to bypass MFA. This shift emphasizes the importance of adopting phishing-resistant MFA methods. The MFA approach requires users to give additional proof that the user is who they say they are when Google detects a suspicious sign-in attempt. 

External actors were responsible for 65% of breaches in 2024

The Verizon 2024 Data Breach Investigations Report states that external threat actors are still the main catalyst for breaches at 65%, but the remaining 35% of breaches come from internal threats, a major increase from last year. 

32% of all breaches involved ransomware or some other extortion technique.

Threat actors often rely on a variety of tactics and techniques to access a network, including phishing communication, brute force attacks, and Trojans malware. Breaches are often caused by internal actors with financial motives, or because of grudges held against the company. Many instances of insider caused breach are the result of simple error or negligence.

68% of all breaches included a non-malicious human element

  • The same report from Verizon found that 68% of breaches involved a non-malicious human element, like a person falling victim to a social engineering attack or making an error. “Human element” can refer to a range of scenarios – ultimately, it comes down to humans being responsible for a vulnerability, either knowingly or unknowingly. This can include privilege misuse, stolen credentials, social engineering attacks, or genuine human error.
  • According to the same report, this year has seen an increase in breaches stemming from errors, which is now at 28%.

Many cloud data breaches have been associated with access

According to Datadog’s 2024 State of Cloud Security report, initial access for a breach is most often achieved through credential stuffing attacks. However, newer techniques such as malicious OAuth application consent and AiTM attacks are also gaining popularity.

Orca Security’s 2024 State of Cloud Security Report, 61% of organizations have at least one root user or account owner without MFA. The report notes that:

“While there can be many reasons why an organization hasn’t implemented MFA for their account’s root user, the most likely reason is because it’s hard to manage MFA for shared accounts.” 

To help combat this type of issue, AWS has also been working on rolling out mandatory MFA throughout 2024. 

In a survey by Statista on why organizations may not have MFA implemented, 33% of respondents said that MFA was annoying. 23% of respondents considered MFA to be too complex, and another 23% cited it as being too slow. However, without comprehensive insight into permissions and access settings, companies are vulnerable to exploitation. MFA is a great method of ensuring access is properly managed and security is maintained.

Accidental exposure of credentials is a major concern for cloud security

In a 2023 survey of IT and cybersecurity professionals, over 40% of respondents mentioned their organization’s reliance on legacy systems that require passwords as a barrier to implementing passwordless authentication factors. Other concerns highlighted by IT teams included disagreements surrounding implementation, skill gaps, and budget constraints.

Credential exposure can create further problems if organizations don’t have strong identity and access management solutions in place to combat any instances of attackers trying to access and use company user accounts. Again, MFA can play an instrumental part in preventing attackers at the point of sign in.

Financial reasons are the primary motivator for attacks

Verizon’s 2023 report reveals that that the primary motivation for attacks were financial – 95% of all reported breaches in the past year were driven by financial factors.

The average cost of a data breach is USD 4.88 million

  • IBM’s Cost of a Data Breach 2024 report estimates the average cost of a breach as $4.88 million USD, which is a 10% increase from last year. 
  • 75% of the increase in average breach costs in this year’s study was due to the cost of lost business and post-breach response activities. 
  • This report also states that 40% of data breaches involved data stored across multiple environments. Breached data stored in public clouds incurred the highest average breach cost at USD 5.17 million.
  • In 2022, it took teams an average of 207 days to identify the breach and then a further 70 to be able to contain it.This is still true in 2024 according to IBM’s 2024 report, bringing the total remediation time to around 270 days. 

They also noted that if the cause of the data breach was dealing with IAM / credentials, that number increased to about 292 days. This extra time can make a difference in mitigating damage and preventing data losses. 

  • IBM reports that organizations who leverage AI and automation extensively in their security strategy can save an average of $2.2 million on the cost of a data breach.

One of the top security related cloud threats is account compromise

While the global migration to the cloud offers a range of benefits and opportunities, moving your business operations to the cloud is not without its security problems and downsides. These include problems surrounding identities, access, and credentials. Maintaining cloud security and managing identities has become more of important than ever before in recent years.

  • Check Point’s 2024 Cloud Security Report has found that cloud security incidents are on the rise, with 61% of organizations reporting breaches within the last year, marking a significant increase from 24% the year before. 
  • Data security breaches have emerged as the most common cloud security incident, reported by 21% of organizations.
  • Additionally, the fact that 23% of respondents were either unsure or unable to disclose details about these incidents suggests a concerning lack of visibility and control over cloud security, which could exacerbate the risk of undetected breaches.

Password hygiene and best practices continue to fall short

  • A chain is only as stronger as its weakest link and, apparently, a company’s security is no stronger than the “qwerty” password one of their employees uses.
  • Credentials have always been a difficult for organizations to manage. While employers can stress the importance of good password hygiene and implement password managers within their organizations, maintaining password security can still be difficult.
  • The most common passwords are still “123456”, “123456789”, “qwerty”, “password”, and “12345”, suggesting that even with the greater understanding we now have of the risks of weak passwords, something is still compelling users to neglect password security in favor of convenience. 
  • Dashlane’s 2024 Security Report Card shows that the industries with the best password hygiene are tech, media, education, transportation, and hospitality. The industries with the worst password hygiene are legal, manufacturing, construction, healthcare, and utilities. Most of the bottom-performing industries revolve around physical, offline types of work.
  • According to a study from security.org, over half of surveyed American adults use unsecured methods like memorization, browser storage, and written records to manage their passwords. Nearly one in five reuse the same passwords across accounts. 
  • When asked how they manage their passwords, the most popular methods among respondents were memorization followed by password managers and saving credentials in the browser. 26% of those surveyed admitted to writing passwords in notes on their computer or mobile device, and 25% wrote them down on paper.

Summary

No single attack, attacker, or motives are the same. However, from the statistics detailed in this article, it is clear that stolen credentials, account takeover, and impersonation tactics continue to be some of the largest contributors to security and data breaches. MFA, bolstered by other identity and access management solutions, can be highly beneficial in preventing and mitigating these breaches.

This isn’t to say that tools like password managers and security measures like security awareness training aren’t important – because they are. But it’s clear that credentials are a highly sought-after pieces of information. Maintaining password and account security should, therefore, be a priority for all organizations wanting to protect their accounts and data. MFA can act as an essential barrier when attackers have made the first step in an attack lifecycle and obtained login credentials.

Mirren McDade
LinkedIn Email

Senior Journalist & Content Writer

Mirren McDade is a senior writer and journalist at Expert Insights, spending each day researching, writing, editing and publishing content, covering a variety of topics and solutions, and interviewing industry experts. She is an experienced copywriter with a background in a range of industries, including cloud business technologies, cloud security, information security and cyber security, and has conducted interviews with several industry experts. Mirren holds a First Class Honors degree in English from Edinburgh Napier University.
Laura Iannini Laura Iannini
Email

Cybersecurity Analyst

Laura Iannini is an Information Security Engineer. She holds a Bachelor’s degree in Cybersecurity from the University of West Florida. Laura has experience with a variety of cybersecurity platforms and leads technical reviews of leading solutions. She conducts thorough product tests to ensure that Expert Insights’ reviews are definitive and insightful.