Over the last two years, respondents reported a continued reliance on the least secure forms of authentication, including traditional usernames and passwords and one-time passwords (OTPs), according to Yubico.
Not all MFA is equal
The results are surprising considering 59% of respondents reported having a security breach within the past year – up 6% from just two years ago. Additionally, the report revealed a significant increase in MFA deployment for customers, which jumped to 57% from 45% (a 12% increase).
“Not all MFA is equal, and even though businesses know legacy MFA tools are not effective to stay secure, we’re seeing they’re still using them as primary tools of defense,” said Ronnie Manning, CMO, Yubico.
“Now more than ever, education around the importance of phishing-resistant MFA is critical to officially move away from legacy MFA tools that are leaving thousands of businesses exposed to cyberattacks around the world,” Manning continued.
What researchers have found
- Only 46% of respondents protect their enterprise applications with MFA
- Nearly 74% have some level of concern about the security of SMS or push-based authentication
- Username and password ranks at the top with 91% response selection, while hardware-based USB security keys (62%), biometrics (59%) passwordless MFA (58%) and smart cards (58%) are the least deployed
- Nearly three-fourths (69%) of respondents have some level of concern about the security of SMS or push-based authentication
“These survey results show a clear disconnect between the reality we’re facing of constant rising threats of sophisticated cyberattacks like phishing, and the actions that businesses are taking to stay secure,” said Manning.
“There remains a considerable gap between the security and useability tradeoff of MFA tools, and this is highlighted by some confusion regarding phishing-resistant MFA and how the most secure tools like security keys can actually offer the best balance of cost savings and ease-of-use,” Manning continued.
The survey also revealed critical forces shaping authentication and a foundation for the adoption of modern MFA, including the Executive Order on Cybersecurity issued by President Biden in May of 2021 in response to the US Office of Management and Budget issued Memo M-22-09.
64% have heard of the White House Executive Order and related OMB guidance regarding phishing-resistant MFA and 91% of respondents report being familiar with FIDO standards.
It’s clear that many organizations have responded to the call for more secure forms of authentication, but there is still a need to spread awareness and increase education around phishing-resistant MFA overall.