Yubico Unveils Needed Awareness Around Phishing-Resistant MFA

By Greg Tavarez

I remember a time when all that was needed was a strong password or a one-time password to act as a strong defense against attacks that lead to data breaches. But as attacks have become more sophisticated, the weaknesses of password-based authentication are glaring (as they leave businesses vulnerable to attacks such as brute-force, phishing and credential stuffing). These attacks are costly for businesses in terms of lost revenue, legal fees and reputational damage.

The rise of cloud-based services and remote work is only adding fuel to that fire, as traditional security measures such as firewalls and VPNs are no longer sufficient to protect against attacks. This has resulted in the need for stronger authentication methods, such as multi-factor and adaptive authentication.

Still, IT leaders continue to rely on the least secure forms of authentication, including traditional usernames and passwords and one-time passwords. In a report from Yubico, only 46% of respondents protect their enterprise applications with MFA.

Hmm. This is a bit concerning, considering that 59% of respondents reported having a security breach within the past year, up 6% from just two years ago.

Seeing those results prompted Yubico to dive a bit deeper with its research. For those unfamiliar with Yubico, the hardware authentication security keys provider created security solutions based on an open standard and is a co-founder of the FIDO Alliance, which is dedicated to developing open, interoperable authentication standards. Yubico developed the YubiKey, which is a security key that provides strong MFA and eliminates the need for passwords.

Looking at the specific methods of authentication, the Yubico survey found that one of the least secure methods is the most deployed – usernames and passwords at 91%. Hardware-based USB security keys at 62%, biometrics at 59%, passwordless MFA at 58% and smart cards at 58% are the least deployed.

Those stats are appalling considering the amount of times companies preach about being the most secure and adopting solutions that mitigate all data breaches. But the survey revealed a stat that makes it not surprising at all.

Regarding the Executive Order on cybersecurity issued by President Joe Biden in May 2021 in response to the U.S. Office of Management and Budget issued Memo M-22-09, the survey found that only two-thirds have heard of the executive order and related OMB guidance regarding phishing-resistant MFA, and 91% of respondents report being familiar with FIDO standards. 

While many organizations have responded to the call for more secure forms of authentication, there is still a need to spread awareness and increase education around phishing-resistant MFA overall.

“Not all MFA is equal, and even though businesses know legacy MFA tools are not effective to stay secure, we’re seeing they're still using them as primary tools of defense,” said Ronnie Manning, Chief Marketing Officer of Yubico. “Now more than ever, education around the importance of phishing-resistant MFA is critical to officially move away from legacy MFA tools that are leaving thousands of businesses exposed to cyberattacks around the world.”

If one thing that should be taken from the survey, it’s that businesses continue to rely on outdated authentication methods, thus putting themselves at risk of cyberattacks and data breaches. By adopting more secure authentication methods, businesses better protect themselves and their customers.




Edited by Alex Passett
Get stories like this delivered straight to your inbox. [Free eNews Subscription]

MSPToday Editor

SHARE THIS ARTICLE
Related Articles

Why AI Spend Management Could Become the Next MSP Service Opportunity

By: Erik Linask    7/14/2026

As AI costs rise, businesses need visibility into token usage and budget risk, which creates a potential new AI cost-governance revenue opportunity fo…

Read More

The Next SOC Shift Is Here: Autonomous Identity Response for MSPs

By: Erik Linask    7/8/2026

Blackpoint Cyber's new AI SOC Agent for Identity Threat Detection and Response gives MSPs an autonomous, human-guided way to contain high-confidence c…

Read More

Identity Is the New Perimeter and MSPs Are on the Front Line

By: Erik Linask    7/8/2026

Barracuda's acquisition of Evo Security expands BarracudaONE with MSP-focused IAM and PAM capabilities, highlighting how identity resilience is becomi…

Read More

MSPs: The Network Is No Longer Someone Else's Problem

By: Erik Linask    6/30/2026

Reinvent's new MyCloud SecureLink offering gives MSPs and resellers a partner-ready way to deliver managed SD-WAN, network security, and resilient con…

Read More

Why the Fastest-Growing MSPs Are Saying "No" More Often

By: Special Guest    6/30/2026

The fastest-growing MSPs in the U.S. are boosting margins, reducing cyber risk, and scaling more sustainably by adopting stricter customer qualificati…

Read More