Multi-factor authentication (MFA) has been around for many years now, but few enterprises have fully embraced it. In fact, according to Microsoft’s inaugural “Cyber Signals” report, only 22 percent of all its Azure Active Directory (AD) enterprise clients have adopted two-factor authentication (2FA), a form of MFA. That leaves 78 percent that only require usernames and passwords to authenticate account users.

A 22 percent adoption rate is meager, especially in the face of the multiple online threats that enterprises face daily. For example, from January to December 2021, Microsoft detected a jaw-dropping 25.6 billion account hijacking attempts using brute-forced stolen passwords. Other cybercrimes that specifically target accounts are spear phishing, social engineering attacks, and password sprays—basic password attack tactics that nation-states carry out against target companies and governments.

There’s low MFA adoption elsewhere, too

Microsoft is not the only company to reveal that internet users have been reluctant to adopt MFA.

In July 2021, Twitter disclosed in its transparency report that only 2.5 percent of its active users have “at least one 2FA method enabled”. Most of those using 2FA have at least SMS authentication (77.7 percent) enabled, and a portion has enabled the option of using an authentication app (30.1 percent). Although that’s an improvement on the previous report, MFA adoption remains low overall.

Google introduced 2FA to Gmail in 2011. Seven years later, in the words of The Register, “virtually no one is using it.” This claim was backed up by Grzegorz Milka, a Google software engineer who presented at the Usenix’s Enigma 2018 security conference. Milka revealed that, at the time of his talk, less than 10 percent of Google accounts used 2FA.

Low MFA adoption is also common for developers. Npm stands for Node Package Manager. It’s a widely used JavaScript package manager and the largest repository of computer programming packages on the Internet. According to ZDNet, only 9.27 percent of npm developers use 2FA to secure their accounts. So, if attackers successfully compromise the accounts of these developers, they could freely plant malicious code into packages primarily used by other software developers worldwide.

MFA adoption struggles are real

Whenever we ask why there’s low MFA adoption, the overall reason is that change is hard and it’s inconvenient.

To encourage users to enable MFA on their accounts, making it easy for them is key. Google and Twitter have already changed their MFA features to make them more straightforward and user-friendly. And while this is a great move, we expect (and encourage) these big organizations to make it mandatory for all users to have MFA enabled.

The risks are just too high for a little bit of inconvenience.