Two-factor authentication is a great idea. But not enough people are using it

Two-factor authentication can be a major barrier against accounts being hacked, so why aren't you using it?
Written by Danny Palmer, Senior Writer

Hackers can easily use stolen usernames and passwords to conduct cyberattacks because many online accounts still don't use two-factor authentication controls designed to help keen them safe.

Two-factor authentication (2FA) – or multi-factor authentication (MFA) as it's alternatively known – is one of the key methods that individual users and wider organisations can use to help protect their online accounts from being hacked, even if their login credentials have been leaked or stolen. 

However, according to the DCMS Cyber Security Breaches Survey 2022, only around third of organisations have any requirement for two-factor authentication on user accounts – the figure stands at 37% for businesses and 31% for charities. 

SEE: Multi-factor authentication: How to enable 2FA to step up your security

That means that around two-thirds of organisations don't have any rules around two-factor authentication at all, so employees are unlikely to be using it, leaving their user accounts vulnerable to cyberattacks and hacking. 

Two-factor authentication creates an additional layer of protection, requiring users to use a text message, app or hardware key to confirm that it's really them attempting to log in to their account. This can help to stop cyber criminals from logging into online accounts with breached or stolen passwords.  

But with so few users equipping accounts with two-factor authentication, cyber criminals could directly access accounts if they've got the login credentials, whether the username and password is stolen using a phishing email, guessed because it's weak or taken from a previous data dump

Breached accounts, particularly those accessed using remote desktop protocol, can be used to steal additional information, or be quietly used to move around the network and lay the foundations for a malware or ransomware attack

Two-factor authentication is more widely used in some sectors than it is in others. For example, DCMS data says there are policies in place in around two-thirds of businesses in information and communications, while under one in five businesses within the food and hospitality have rules around it. 

Other industries with low uptake of two-factor authentication are utilities, production, and manufacturing, where only 28% of businesses have any policies in place. These critical industries are already a tempting target for cyber criminals – particularly ransomware gangs – and the lack of additional protections on accounts leaves them even more vulnerable. 

At a time when the government is urging organisations to be wary of cybersecurity threats, more needs to be done to ensure that two-factor authentication and other cybersecurity measures –such as applying security patches in a timely manner, using strong passwords and keeping antivirus software up-to-date – are in place.  

"It is vital that every organisation takes cybersecurity seriously as more and more business is done online and we live in a time of increasing cyber risk," said cyber minister, Julia Lopez. 

"No matter how big or small your organisation is, you need to take steps to improve digital resilience now and follow the free government advice to help keep us all safe online."  

The National Cyber Security Centre also offers advice to businesses and individual users on how to keep accounts secure and how to stay safe online. 


Editorial standards