New Study: The One Big Security Trick People Aren’t Using

Security insiders and IT pros have long talked about the security benefits of two-factor authentication (2FA). But a recent consumer survey by LastPass found that 70% of people don’t use or don’t know about 2FA. It looks like many of us are still in the dark when it comes to this simple way to boost security and stop online attacks.

In our survey, we asked 2,000 consumers if they used 2FA. Only 30 percent of respondents said they use a solution on some or all of their personal or professional accounts. Another 29 percent said they do not use 2FA at all, while 41 percent said they had no idea what 2FA even was.

According to the survey, the leading reason respondents gave for not using a 2FA solution was that the majority (52 percent) weren’t sure how it works. It’s clear that current 2FA solutions fall short of providing a user-friendly experience and simple set-up.

If you’re new to the idea of 2FA, the concept is straightforward: Two layers of security are always stronger than one. With 2FA, a second step is required before access is granted when logging in to an account. You combine something you know (your password) with something you have (your smartphone), or something you are (your fingerprint), or somewhere you are (your trusted location). Only once those required pieces of information are supplied is access given.

Why is 2FA so much better? Because even if a password is stolen or compromised, 2FA ensures that an attacker still can’t gain access to an account. Plus, the login notification can serve as an alert that someone may be trying to gain unauthorized access.

Using a two-factor authentication tool is one of the best ways to keep your data and online accounts safe. And now, it’s also one of the easiest, thanks to LastPass Authenticator. LastPass Authenticator is making it simple and convenient for anyone to follow best practices for protecting their information. Our one-tap push notification makes it dead simple for anyone to authenticate to their LastPass account. It’s fast, convenient, and easy-to-use.

Plus, LastPass Authenticator allows you to activate 2FA for not just your LastPass account, but for many other important accounts as well. Anywhere Google Authenticator is supported, you can also enable LastPass Authenticator, so you can also consolidate your 2FA into a single app.

We’re on a mission to make it simple and convenient for you to follow best practices for protecting your personal information. More great updates are on the way for LastPass Authenticator, so stay tuned!

Research Methodology

LastPass commissioned a survey through Lab42 of 2,000 adults ages 18+ with at least one online account. Respondents represented the United States, France, UK, Germany, Australia and New Zealand. Data was collected May 4-May 18, 2016.



  • Dave Hein says:

    On of the problems with 2FA is that if you lose your phone (or it gets bricked or stolen) then you can’t access your accounts. Same thing if you used a physical key generator like a YubaKey .. if you lose the physical thing you lose account access. That may be why some folks choose not to adopt 2FA.

    I created a Python utility, “authenticator” (, so that I could produce authentication codes on any of my computers, not just my phone. It produces the same time-based authentication codes as Google Authenticator and LastPass Authenticator. This way if my mobile device is “unavailable” I can still generate authentication codes from any computer that has Python and my encrypted authentication data file.

    So I use Google Authenticator on my phone and tablet, and I use my Python ‘authenticator’ on my Windows, Linux, and Mac systems. I’ve looked at LastPass Authenticator but (unlike Google Authenticator) it only accepts secrets as QR codes and not as ASCII strings, so I can’t use it (because I need the ASCII string for ‘authenticator’).

    Note: if you are serious about 2FA then you won’t depend on SMS to deliver authentication. It’s better than nothing, but definitely open to a variety of attacks. The US NIST just updated their Digital Authentication Guideline ( and in it they deprecate the use of SMS for authentication. The use of TOTP (time-based one-time passwords) is significantly more secure. I use 2FA everywhere I can, but only if it is TOTP, not if SMS.

  • Margo says:

    I presume Microsoft 2 step security is what you mean? From my experience it is ill thought out and leaves the owner not able to get use of an email. Myself nearlt 6 months locked out of my club email I use for membership information. It was a real nightmare.

    • Amber Gott says:

      Sorry to hear of the poor experience with 2FA, Margo! There are a lot of different 2FA options out there and not all experiences are created equal. We hope you may give LastPass Authenticator a try, let us know if we can help further.

  • Yandee says:

    Sounds good ! but what happens if say you don’t have your mobile with you say its 10 mile away and only a laptop, or just your Android smartphone while travelling ?

  • Mike says:

    I am an active 2FA user with Authy. I use LastPass 2FA with Authy, I would still have to have another authenticator app just for 2fa for LastPass. makes having just one app sort of impossible.

  • rwizard says:

    I am a long time user of Yubikey with Lastpass, and because I keep keys in multiple locations, as well as allowing family members to use their Yubikeys (normally used with their accounts) to log in to my account when they need to, I REALLY wish that you would allow enrollment of more than 5 Yubikeys in my account. I first asked for this a couple of years ago, and as an early adopter of Lastpass, I’d be very grateful if this were fixed. The rest of the world may not be using hardware based 2FA, but I use the heck out of it, and so do my friends, family, and anyone else I can persuade about its value.
    I also want to remind everyone that SMS (text message) based 2FA has recently been deprecated by NIST because it is simply too insecure. I would urge folks NOT to use that method. The reason is that there are effective exploits for intercepting SMS messages, allowing an attacker to completely negate the intended benefit of 2FA.