MFA and Autofill Security and Vulnerability

MFA and Autofill Security and Vulnerability

Categories: Infographic

Key takeaways

  • Although three in four said MFA annoys them, 65% said it has saved them from an account being compromised.
  • 62% have experienced an MFA fatigue attack, and nearly one in 10 have never regained access to a locked account due to MFA.
  • 49% said they had abandoned a cart because they got tired of trying to log in, and 53% said this frustration has prevented them from making a payment.
  • 92% said that autofill has led to them forgetting a password.

Multi-factor authentication and the user experience

Have you ever been locked out of an online account because you forgot your password? It can be a frustrating experience, for sure. Now imagine having to enter a password plus extra information to log in. That’s traditional multi-factor authentication (MFA)—but not all MFAs are created equal, and the most advanced now offer a frictionless security experience for users.

MFA is a layered approach to account security. Instead of requiring a single password, users provide multiple pieces of information to verify their identity and access their accounts. Though strong MFA can increase account security, the different verification steps of weak MFA can be tedious and easy to hack. Likewise, autofill-enabled passwords can save time, but not everyone feels secure using them.

How many people find MFA reassuring, how many think it’s a waste of time, and how do they feel about autofill? We surveyed 1,006 consumers across four generations to find out.

MFA usage and fatigue attacks

As more companies offer MFA for their websites and apps, users can choose how they want to secure their accounts. Some rely on MFA for every account, but others are more selective. When is MFA most often used, and how frequently does it lead to security attacks known as MFA fatigue attacks?

MFA usage and fatigue attacks

Eager to protect sensitive financial information, 62% of consumers used MFA to access their bank accounts. However, many banks require MFA, so those users may not have had an option. Social media was also a trigger for added security measures:

As for the type of MFA used, text messages (42%) were the preferred secondary authentication, emails (30%) were the next favorite, and phone calls (20%) were third.

Consumer attitudes toward MFA varied by generation. Gen Z was the most likely to be annoyed by traditional MFA. In fact, Gen Zers were 17% more likely than Gen Xers to be irritated by traditional MFA and 14% more likely than Gen Xers or millennials to abandon a cart due to login issues. While seemingly harmless, this frustration has led to significant security breaches.

fatigue attacks

The latest trend in security hacking is the MFA fatigue attack. This refers to a hacker attempting to access a user’s account, knowing that the MFA will send the user a verification request. The hacker repeatedly tries to access the account, bombarding the user with push notifications in the hopes that they’ll approve the login out of sheer frustration or exhaustion. Hackers will even send fake emails, posing as a member of the IT department and asking the user to approve the verification.

MFA fatigue attacks happened to 55% of user bank accounts who had MFA enabled, 54% of Facebook accounts, and 47% of Instagram accounts. Fatigue attacks were rare for Apple ID accounts (19%) and PayPal accounts (13%), but only 19% of users had enabled MFA on those accounts. The trend was clear—the more MFA-enabled accounts there were, the higher the number of fatigue attacks.

Autofill-enabled password usage

To save time on repeatedly entering information, some users enable their apps and browsers to autofill their passwords. How many people use this convenience, and do they feel secure doing so?

autofill-enabled password usage

A majority of users enabled autofill, especially in Google Chrome (76%). Most respondents used autofill passwords for social media on Facebook (56%), Instagram (49%), and Twitter (44%). Another 48% used autofill passwords for banking. Gen Xers were the most likely to use autofill passwords for Facebook, while Gen Zers were the most likely to use them for cryptocurrency accounts.

Of autofill users, 73% felt safe about their autofill-enabled accounts, but there was a generational gap in security views. Gen Z, Gen X, and millennials felt secure using autofill, but baby boomers were more cautious about their passwords: 28% of them didn’t use autofill on any accounts.

One major drawback of autofill passwords is the possibility of forgetting your password after not having to type it out for an extended period. This has been a reality for most, as 92% of respondents said using autofill led them to forget at least one password.

Moving on from passwords

Traditional MFA might increase account security, but it can sometimes be a hassle for users. Conversely, autofill-enabled passwords are convenient but undermine account security. While many consumers use both tools to secure their accounts, current weak MFA and autofill practices leave accounts vulnerable to attack. A more reliable login option would eliminate the need for passwords altogether. That’s where Beyond Identity comes in.


Beyond Identity surveyed 1,006 respondents across four generations to determine consumer sentiments toward MFA and autofill.

About Beyond Identity

Beyond Identity is a phishing-resistant, passwordless MFA that links identities with devices while also using three phishing-resistant factors. Eliminating the need for passwords and one-time codes, Beyond Identity creates a frictionless login experience for users while maintaining powerful security for all your data.

Fair use statement

Have you experienced MFA fatigue? Feel free to share this article with anyone you’d like. We just ask that you do so for noncommercial purposes only and provide a link back to this page to give the authors their due credit.