What’s the Most Popular Form of Two-Factor Authentication in 2023?

Last updated on March 3rd, 2023 at 03:55 am

Underneath the text "Most popular" is a bar graph with pink bars of varying length.
ID 143374808 © Feng Yu | Dreamstime.com

A couple of weeks ago, I found myself wondering what the most popular form of two-factor authentication (2FA) is. 

Is it the least secure but temptingly convenient SMS-based 2FA that sends you a code via text? Or the more secure but somewhat cumbersome authenticator app that generates codes on your phone? What about the ultra-secure but more expensive hardware key that lets you verify your identity with the tap of a button?

I tried asking on Twitter, but as I’m not exactly a social media influencer, my poll received a paltry seven votes. So, I decided to pony up $30 and run a quick study on the survey platform Prolific to reach more people.

Which method of two factor authentication do you prefer to use? I'm also curious about why you prefer that method! I primarily use Authy but recently got some Yubikeys I'm excited to set up! #CyberSecurity
SMS 42.9% 
Authenticator app 28.6%
Push notification 28.6%
Securitykey 0%
The results of my tiny Twitter poll. Source: My personal Twitter account.

$30 bought me 26 survey takers, which is much better than seven, but not exactly enough to draw any rigorous conclusions. Still, it’s sufficient to see some trends emerge and the results seem in line with my tiny Twitter poll.

Survey results

First, I asked the survey takers whether they use 2FA on at least one account. The answer was a pleasant surprise: everyone did.

Then I asked the participants for their preferred 2FA method out of SMS, email, authenticator app, push notification, and security key. 

What's the most popular form of 2FA in 2023?
Security key: 0%
Push notifications:23.1%
Authenticator: 7.7%
Email: 7.7%
SMS: 61.5%
The most popular 2FA methods, according to survey takers on Prolific. Security keys got no love 🙁 Image made by Safe, Not Scammed in Canva.

Perhaps not surprisingly, SMS reigned supreme, with a whopping 61.5% of the vote. Survey takers said they preferred this method because of how fast and easy it is to use.

Push notifications were the next most popular option, though they received just 23.1% of the vote. Authenticator apps and email were tied for third place, with 7.7% of the votes each. A little disappointingly, security keys received no votes at all.

I also asked the survey takers if they were familiar with four ways cybercriminals can bypass 2FA: SIM swaps, prompt bombing (also called push bombing), phishing, and cookie hijacking malware. 

How many ways of bypassing 2FA are people familiar with?
0 methods: 30.8%
1 method: 34.6%
2 methods: 26.9%
3 methods: 3.8%
4 methods: 3.8%
How many ways of bypassing 2FA were survey takers aware of? Image made by Safe, Not Scammed in Canva.

Most were relatively unaware of these methods. 30.8% reported being familiar with none of them, while 34.6% were familiar with just one. And although 26.9% were aware of two different techniques, just 3.8% had heard of three and 3.8% had heard of all 4.

Which ways of bypassing 2FA are people familiar with?
SIM swaps: 8 people
Prompt bombing: 2 people
Phishing: 15 people
Cookie hijacking malware: 5 people
None of the above: 8 people
Which ways of bypassing 2FA were familiar to the survey takers? Image made by Safe, Not Scammed in Canva.

Phishing was the most well-known method of 2FA bypass, with 57.7% of survey takers reporting being familiar with it. 

Despite SIM-swapping making the news thanks to high-profile victims like Jack Dorsey, only 30.8% of survey takers indicated they had heard of it.

Cookie hijacking malware, which has been gaining in popularity in recent years, was familiar to just 19.2% of survey takers.

Prompt bombing, which made the news last year thanks to the antics of hacking collective Lapsus$, was the least well-known, with only 7.7% of survey takers being aware of this technique.

Thoughts on the survey results 

While any form of 2FA is better than none, it’s concerning that such a large proportion of people prefer SMS-based 2FA. Security experts have been warning for years that it’s insecure, and recent data breaches, like those at T-Mobile, make it easier for cybercriminals to carry out SIM-swaps and steal 2FA codes sent via text.

It’s also worrying that most people are not aware of the common ways cybercriminals can bypass 2FA. A lack of familiarity with these attacks means people are not in a good position to defend themselves and their accounts. 

The takeaway

If you’re one of the majority of people who rely on SMS-based 2FA, consider trying out an alternative method, at least for high-value accounts. Authenticator apps, like Authy, are a good option for most people, though for maximum security a security key is the way to go.

Finally, it’s worthwhile spending a little time learning about the ways attackers can bypass 2FA. That way, you know what to look out for and can keep your accounts secure!

Leave a Comment

Your email address will not be published. Required fields are marked *