I remember a time when all that was needed was a strong password or a one-time password to act as a strong defense against attacks that lead to data breaches. But as attacks have become more sophisticated, the weaknesses of password-based authentication are glaring (as they leave businesses vulnerable to attacks such as brute-force, phishing and credential stuffing). These attacks are costly for businesses in terms of lost revenue, legal fees and reputational damage.
The rise of cloud-based services and remote work is only adding fuel to that fire, as traditional security measures such as firewalls and VPNs are no longer sufficient to protect against attacks. This has resulted in the need for stronger authentication methods, such as multi-factor and adaptive authentication.
Still, IT leaders continue to rely on the least secure forms of authentication, including traditional usernames and passwords and one-time passwords. In a report from Yubico, only 46% of respondents protect their enterprise applications with MFA.
Hmm. This is a bit concerning, considering that 59% of respondents reported having a security breach within the past year, up 6% from just two years ago.
Seeing those results prompted Yubico to dive a bit deeper with its research. For those unfamiliar with Yubico, the hardware authentication security keys provider created security solutions based on an open standard and is a co-founder of the FIDO Alliance, which is dedicated to developing open, interoperable authentication standards. Yubico developed the YubiKey, which is a security key that provides strong MFA and eliminates the need for passwords.
Looking at the specific methods of authentication, the Yubico survey found that one of the least secure methods is the most deployed – usernames and passwords at 91%. Hardware-based USB security keys at 62%, biometrics at 59%, passwordless MFA at 58% and smart cards at 58% are the least deployed.
Those stats are appalling considering the amount of times companies preach about being the most secure and adopting solutions that mitigate all data breaches. But the survey revealed a stat that makes it not surprising at all.
Regarding the Executive Order on cybersecurity issued by President Joe Biden in May 2021 in response to the U.S. Office of Management and Budget issued Memo M-22-09, the survey found that only two-thirds have heard of the executive order and related OMB guidance regarding phishing-resistant MFA, and 91% of respondents report being familiar with FIDO standards.
While many organizations have responded to the call for more secure forms of authentication, there is still a need to spread awareness and increase education around phishing-resistant MFA overall.
“Not all MFA is equal, and even though businesses know legacy MFA tools are not effective to stay secure, we’re seeing they're still using them as primary tools of defense,” said Ronnie Manning, Chief Marketing Officer of Yubico. “Now more than ever, education around the importance of phishing-resistant MFA is critical to officially move away from legacy MFA tools that are leaving thousands of businesses exposed to cyberattacks around the world.”
If one thing that should be taken from the survey, it’s that businesses continue to rely on outdated authentication methods, thus putting themselves at risk of cyberattacks and data breaches. By adopting more secure authentication methods, businesses better protect themselves and their customers.
Edited by Alex Passett