Two-factor authentication is one of the most effective security tools available to ordinary internet users. It’s free on virtually every major platform. It takes about thirty seconds to set up. And it prevents the vast majority of account takeover attacks.

So why does Google report that only about 30% of active accounts have 2FA enabled? Why do Microsoft’s numbers look similar? Why, after years of data breaches, security awareness campaigns, and increasingly alarming headlines, do most people still rely on passwords alone?

The answer isn’t ignorance. It’s friction, confusion, and some legitimate design problems that the security industry has been slow to fix.

The Friction Problem

Let’s be honest about what 2FA asks of users. Every time you log in to a protected account, you need to:

1. Enter your password
2. Grab your phone
3. Open an authenticator app (or wait for an SMS code)
4. Type in a six-digit code that expires in thirty seconds
5. Do all of this before the code changes

That process adds 15-30 seconds to every login. For someone who logs into their email, Slack, banking, and social media multiple times a day, those seconds accumulate. It doesn’t feel like a big deal in theory. In practice, it’s annoying enough that many people disable it after a few weeks.

This is the core tension in security design: the more secure a system is, the more inconvenient it tends to be. And when users are given a choice between security and convenience, convenience wins almost every time.

SMS 2FA: The Weakest Link

The most common form of 2FA is SMS-based — the platform sends a text message with a code to your phone number. It’s the easiest to set up and the one most platforms default to.

It’s also the least secure. SIM-swapping attacks, where criminals convince your mobile carrier to transfer your number to their SIM card, can intercept SMS codes. The National Institute of Standards and Technology (NIST) deprecated SMS-based 2FA back in 2016, recommending authenticator apps or hardware keys instead.

But here’s the problem: telling people “you should use 2FA, but not that kind of 2FA” is confusing. Most users don’t understand the difference between SMS codes and app-generated codes. They just know they’re being asked to do something extra, and when they hear that the most common version isn’t even secure, they think “why bother?”

The messaging around 2FA security is muddled. SMS 2FA is significantly better than no 2FA at all. It stops the vast majority of attacks. But the security community’s insistence on pointing out its weaknesses, while technically correct, has the perverse effect of discouraging adoption entirely.

Authenticator App Confusion

Authenticator apps like Google Authenticator, Microsoft Authenticator, and Authy are more secure than SMS. But they introduce their own problems.

Backup and recovery. What happens if you lose your phone? With SMS 2FA, you get a new SIM and you’re back in business. With an authenticator app, you need backup codes that you saved somewhere (did you save them?) or you need to go through an account recovery process that can take days.

This fear of being locked out of your own accounts is a major deterrent. I’ve talked to dozens of people who don’t use 2FA specifically because they’re afraid of losing access. And it’s not an irrational fear — locked-out-of-my-account stories are common in tech forums and social media.

Too many apps. Google wants you to use Google Authenticator. Microsoft wants you to use Microsoft Authenticator. Your bank has its own app. Your work uses Okta. Before you know it, you’ve got four authentication apps on your phone, and you can’t remember which one has which codes.

The setup experience. QR codes, secret keys, backup codes — the setup process for authenticator apps assumes a level of technical literacy that many users don’t have. It’s not hard if you’ve done it before. But for a first-time user, it feels intimidating.

Hardware Keys: Great Tech, Terrible Adoption

Hardware security keys like YubiKey are the gold standard for 2FA. They’re phishing-resistant, don’t require a phone, and work with most major platforms. Google requires them for all employee accounts and has had zero successful phishing attacks on employee accounts since implementing them.

The problem is that they cost money ($25-$70 per key), you need two of them (a primary and a backup), and losing them is a genuine risk. They also require physical USB or NFC access, which doesn’t always work smoothly with phones and tablets.

For organisations, distributing and managing hardware keys across a workforce is a logistics challenge. For individuals, spending $50-$140 on authentication hardware feels excessive when the threat seems abstract.

Passkeys: The Potential Solution

The biggest shift in authentication recently has been the rise of passkeys — a FIDO Alliance standard that replaces passwords entirely with device-based cryptographic credentials. You authenticate with your fingerprint, face, or device PIN. No password. No code. No app.

Apple, Google, and Microsoft have all implemented passkey support, and adoption is growing. The user experience is dramatically better than traditional 2FA: you tap your fingerprint reader and you’re in.

But passkeys have their own adoption challenges. They’re tied to specific devices and ecosystems, making cross-platform use awkward. The concept is confusing to users who’ve spent decades thinking in terms of passwords. And many websites and services haven’t implemented passkey support yet.

What Would Actually Increase Adoption

After looking at this problem for years, I think the answer isn’t better technology — we already have it. The answer is:

Make 2FA the default, not opt-in. Google experimented with auto-enrolling users in 2FA and saw adoption spike. When people have to opt out rather than opt in, most stay enrolled.

Reduce the frequency of prompts. Trust familiar devices. If I’m logging in from the same laptop I’ve used for three years, I don’t need to enter a code every single time. Risk-based authentication — prompting for 2FA only when behaviour is unusual — significantly reduces friction.

Standardise the experience. The fragmented landscape of SMS, apps, keys, and passkeys is confusing. The industry needs to converge on one or two approaches and make them consistent across platforms.

Stop scaring people about lockouts. Account recovery for 2FA-protected accounts needs to be reliable and well-documented. If people are confident they can recover access, they’re much more likely to enable protection in the first place.

2FA is a solved technical problem. The adoption problem is about design, defaults, and human psychology. Until the security industry takes those factors as seriously as the cryptography, we’ll keep seeing articles like this one.