Influences on the Adoption of Multifactor Authentication
ResearchPublished Apr 15, 2011
Passwords are presently the primary method by which users authenticate themselves to computer systems. But passwords are proving less and less capable of protecting systems from abuse. Multifactor authentication (MFA) — which combines something you know (e.g., a PIN), something you have (e.g., a token), and/or something you are (e.g., a fingerprint) — is increasingly being required. This report investigates why organizations choose to adopt or not adopt MFA — and where they choose to use it. The authors reviewed the academic literature and articles in the trade press and conducted structured conversations with selected organizations that use or have contemplated using MFA. They found that the type of organization — for example, defense contractor, bank, hospital — affected its MFA choices. MFA is mandated for U.S. government agencies, which tend to use PINs and tokens for remote access. Among private users of MFA, tokens that generate one-time passwords, rather than biometrics, predominate. The researchers recommend that the U.S. government develop methodologies by which the costs and benefits of mandating MFA can be evaluated. Guidance by the National Institute of Standards to government agencies may be useful in helping them sort out the various arguments for and against mandating MFA in a given sector.
Downloads
Topics
Document Details
- Copyright: RAND Corporation
- Availability: Web Only
- Year: 2011
- Pages: 62
- Document Number: TR-937-NIST
Citation
RAND Style Manual
Libicki, Martin C., Edward Balkovich, Brian A. Jackson, Rena Rudavsky, and Katharine Watkins Webb, Influences on the Adoption of Multifactor Authentication, RAND Corporation, TR-937-NIST, 2011. As of May 6, 2026: https://www.rand.org/pubs/technical_reports/TR937.html
Chicago Manual of Style
Libicki, Martin C., Edward Balkovich, Brian A. Jackson, Rena Rudavsky, and Katharine Watkins Webb, Influences on the Adoption of Multifactor Authentication. Santa Monica, CA: RAND Corporation, 2011. https://www.rand.org/pubs/technical_reports/TR937.html.
Research conducted by
This report was sponsored by the National Institute of Standards and Technology and was conducted under the auspices of the RAND Homeland Security and Defense Center, a joint center of the RAND National Security Research Division and RAND Infrastructure, Safety, and Environment.
This publication is part of the RAND technical report series. RAND technical reports, products of RAND from 2003 to 2011, presented research findings on a topic limited in scope or intended for a narrow audience; discussions of the methodology employed in research; literature reviews, survey instruments, modeling exercises, guidelines for practitioners and research professionals, and supporting documentation; and preliminary findings. All RAND technical reports were subject to rigorous peer review to ensure high standards for research quality and objectivity.
This document and trademark(s) contained herein are protected by law. This representation of RAND intellectual property is provided for noncommercial use only. Unauthorized posting of this publication online is prohibited; linking directly to this product page is encouraged. Permission is required from RAND to reproduce, or reuse in another form, any of its research documents for commercial purposes. For information on reprint and reuse permissions, please visit www.rand.org/pubs/permissions.
RAND is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.