The ongoing hacking epidemic is leading people to protect their online accounts—or so you would think. In reality, a study suggests about three quarters of the population are ignoring the most effective way of keeping hackers out of their personal information.
The tool, known as two-factor authentication (2FA), prompts people to enter a text message code or some other piece of extra information when they log in from an unfamiliar computer. This can stop a hacker, even one one who has guessed your password, from getting into your Facebook or Gmail accounts.
But even though security reporters and big tech companies have been preaching the virtue of 2FA for years, the message does not appear to getting through to the general public. According to a survey conducted by the firm Duo Security:
- Only 28% of people are using 2FA at all
- More than half of the respondents (56%) had not even heard of 2FA in the first place
The actual percentage of those is using 2FA is probably even lower as Duo says its sample size of 443 people was more affluent and more educated than the general population.
It’s also notable that 29% of the sample are using 2FA began doing so involuntarily—i.e. at the behest of their employer. This means it’s likely a good percentage of those who are using 2FA are doing so for work (for instance to access tools like Slack or remote email) and not for personal accounts like Gmail or Yahoo Mail.
This is discouraging because many most serious cases of hacking and identity theft begin by attackers sifting through victims’ email accounts for other information. (The most famous example is John Podesta, Hillary Clinton’s presidential campaign manager, who was tricked by the Russians into supplying his Gmail password. If he had 2FA turned on, the hackers would likely not have broken in.
In their conclusion, the Duo Security report authors acknowledge the tech and security community need to do more about educating everyday people about 2FA:
One source of the problem may be the jargon—”2FA” or “two-factor authentication”—used to describe a simple security concept: the requirement for an extra step, such as a text message code, when someone tries to login from an unfamiliar device.
Get Data Sheet, Fortune’s technology newsletter.
It’s also possible companies that offer 2FA, which these days include everyone from Amazon to Facebook, may not be doing enough to bring the feature to their users attention and to encourage them to turn it on.
Finally, here is a graphic from the Duo Security report that shows the respective popularity of different 2FA methods. As you can see, the most popular method is SMS/text messages followed by so-called authenticator apps (such as RSA or Google Authenticator) which display a temporary code. Meanwhile, only 9% of respondents are using security keys, which are even safer than the other methods but require users to carry a physical key like this one.
Duo Security, which produced the report, helps companies manage 2FA for their users. The Ann Arbor-based firm recently gained attention as a so-called “unicorn” (a startup with a valuation over $1 billion), while Facebook’s Head of Security described Duo as his favorite security product.