The results of our Two-Factor Authentication (2FA) Power Rankings are in. The rankings, which examined the prevalence of 2FA offerings among 34 top consumer websites in the United States, found that 76% of sites do not offer users a full set of 2FA options.

[Not sure what 2FA is? Learn everything you need to know about 2FA in this short explainer.]

Dashlane researchers tested each website on three critical 2FA criteria, awarding one point for SMS or email authentication, one point for software tokens, and three points for hardware tokens, such as YubiKey or U2F authentication, for a maximum and passing score of 5/5. Any site that scored below 5/5 was deemed to be failing as they do not offer their users a full range of 2FA options.

Lack of 2FA options on most websites

Of the 34 sites Dashlane examined, only 8 (24%) received a passing score: Bank of America, Dropbox, E*TRADE, Facebook, Google, Stripe, Twitter, and Wells Fargo. Four of the websites tested offered no 2FA options at all: Best Buy, NextDoor, TaskRabbit, and ZocDoc.

Dashlane's 2FA power rankings
(click to enlarge)

“Through the course of our research we found that information on 2FA is often presented in a way that is unclear, making it difficult for consumers to confirm 2FA offerings,” said Emmanuel Schalit, CEO of Dashlane. “In fact, our researchers were forced to omit a large number of popular websites from our testing simply because the sites don’t provide any straightforward or easily accessible information about their 2FA offerings. It’s reasonable to conclude that many consumers are not taking full advantage of the security options available to them due to this lack of transparency.”

Extra layer of security

2FA is one of the best ways to add an extra layer of security to any account, as it requires anyone trying to access your account to have an additional method of authentication, such as a code sent to your phone. While no method of 2FA is invulnerable, hardware token based two 2FA is by far the most secure form, as it would require a potential hacker to have access to both your password and your physical hardware key. This is precisely why Dashlane was the first password manager to work with Universal 2nd Factor (U2F) security keys, backed by Yubico and the FIDO Alliance.

“It is fitting that we decided to share the results of this research near Halloween because in the wake of recent data breaches and hacks, there should be nothing scarier to an organization than the thought of risking their customers’ valuable data,” continued Schalit. “We want to educate the public about the benefits of an addition like two-factor authentication so that they can demand the latest innovations in security from the companies serving them.”

You can find the full rankings in the table at the bottom of this post.

Methodology

The study was conducted by Dashlane researchers from October 10 – 23, 2018. The researchers evaluated three 2FA criteria on 34 popular consumer related websites:

  1. SMS and/or Email-Based 2FA: A site was given credit if they offered any form of SMS or email second factor authentication.
  2. Software Token 2FA: A site was given credit if they offered any form of software token second-factor authentication. The common popular options were third-party app-based authenticators, such as Authy or Google Authenticator. Dashlane gave credit to sites that offered their own proprietary software-based authenticators.
  3. Hardware Token 2FA: A site was given credit if they offered any form of hardware token second-factor authentication. The most popular options were YubiKey and Google Titan in addition to other U2F physical authentication keys. Sites were given credit if they offered their own proprietary hardware device.

A site received 1 point for offering SMS and/or email options, 1 point for offering software token options, and 3 points for hardware token options, for a maximum of 5 points. Any score below 5/5 was considered failing for not offering their users a full range of 2FA options.

Dashlane evaluated the 2FA options the sites offer for logins on desktop browsers only. The team verified the publicly listed 2FA options on the websites’ security and privacy pages by performing logins on Chrome and Safari browsers. Dashlane did not evaluate 2FA options for any of the sites’ mobile applications, mobile browsers, or desktop applications. A site was only given credit if 2FA is offered for sign-in purposes. Dashlane did not test 2FA options provided for actions completed after a user has successfully signed in, such as online purchases, adding a credential, etc.

CompanySMS/EmailSoft. TokenHard. TokenTotal Score
TwitterYYY5
Bank of AmericaYYY5
DropboxYYY5
E*TRADEYYY5
FacebookYYY5
GoogleYYY5
StripeYYY5
Wells FargoYYY5
EvernoteYYN2
Capital OneYYN2
GeminiYYN2
AppleYYN2
CoinbaseYYN2
InstagramYYN2
Intuit (TurboTax)YYN2
WhatsAppYYN2
SlackYYN2
SquareYYN2
GoDaddyYYN2
Betterment YYN2
AmazonYYN2
MintYNN1
CitibankYNN1
Yahoo!YNN1
DiscoverYNN1
AirbnbYNN1
American ExpressYNN1
ChaseYNN1
LinkedInYNN1
VenmoYNN1
TaskRabbitNNN0
NextDoorNNN0
Best BuyNNN0
ZocDocNNN0
[wpforms id=”7036″]