IT security practitioners are aware of good habits when it comes to strong authentication and password management, yet often fail to implement them due to poor usability or inconvenience, according to Yubico and Ponemon Institute.
The conclusion is that IT security practitioners and individuals are both engaging in risky password and authentication practices, yet expectation and reality are often misaligned when it comes to the implementation of usable and desirable security solutions.
The tools and processes that organizations put in place are not widely adopted by employees or customers, making it abundantly clear that new technologies are needed for enterprises and individuals to reach a safer future together.
“IT professional or not, people do not want to be burdened with security — it has to be usable, simple, and work instantly,” said Stina Ehrensvärd, CEO and Co-Founder, Yubico.
“For years, achieving a balance between high security and ease of use was near impossible, but new authentication technologies are finally bridging the gap. With the availability of passwordless login and security keys, it’s time for businesses to step up their security options. Organizations can do far better than passwords; in fact, users are demanding it.”
Individuals report better security practices in some instances compared to IT pros
Out of the 35% of individuals who report that they have been victim of an account takeover, 76% changed how they managed their passwords or protected their accounts. Of the 20% of IT security respondents who have been a victim of an account takeover, 65% changed how they managed their passwords or protected their accounts.
Both individuals and IT security respondents have reused passwords on an average of 10 of their personal accounts, but individual users (39%) are less likely to reuse passwords across workplace accounts than IT professionals (50%).
Poor password hygiene
Fifty-one percent of IT security respondents say their organizations have experienced a phishing attack, with another 12% of respondents stating that their organizations experienced credential theft, and 8% say it was a man-in-the-middle attack.
Yet, only 53% of IT security respondents say their organizations have changed how passwords or protected corporate accounts were managed. Interestingly enough, individuals reuse passwords across an average of 16 workplace accounts and IT security respondents say they reuse passwords across an average of 12 workplace accounts.
Mobile use is on the rise
Fifty-five percent of IT security respondents report that the use of personal mobile devices is permitted at work and an average of 45% of employees in the organizations represented are using their mobile device for work.
Alarmingly, 62% of IT security respondents say their organizations don’t take necessary steps to protect information on mobile phones. Fifty-one percent of individuals use their personal mobile device to access work related items, and of these, 56% don’t use two-factor authentication (2FA).
Poor employee access protection
Given the complexities of securing a modern, mobile workforce, organizations struggle to find simple, yet effective ways of protecting employee access to corporate accounts. Roughly half of all respondents (49% of IT security and 51% of individuals) share passwords with colleagues to access business accounts.
Fifty-nine percent of IT security respondents report that their organization relies on human memory to manage passwords, while 42% say sticky notes are used. Only 31% of IT security respondents say that their organization uses a password manager, which are effective tools to securely create, manage, and store passwords.
Concerns about customer information and PII security
IT security respondents say they are most concerned about protecting customer information and personally identifiable information (PII). However, 59% of IT security respondents say customer accounts have been subject to an account takeover. Despite this, 25% of IT security respondents say their organizations have no plans to adopt 2FA for customers.
Of these 25% of IT security respondents, 60% say their organizations believe usernames and passwords provide sufficient security and 47% say their organizations are not going to provide 2FA because it will affect convenience by adding an extra step during login.
When businesses are choosing to protect customer accounts and data, the 2FA options that are used most often do not offer adequate protection for users.
Three main 2FA methods
IT security respondents report that SMS codes (41%), backup codes (40%), or mobile authentication apps (37%) are the three main 2FA methods that they support or plan to support for customers. SMS codes and mobile authenticator apps are typically tied to only one device.
Additionally, 23% of individuals find 2FA methods like SMS and mobile authentication apps to be very inconvenient. A majority of individuals rate security (56%), affordability (57%), and ease of use (35%) as very important.
Individuals only adopting new technologies that are easy to use
It is clear that new technologies are needed for enterprises and individuals to reach a safer future together. Across the board, passwords are cumbersome, mobile use introduces a new set of security challenges, and the security tools that organizations have put in place are not being widely adopted by employees or customers.
In fact, 49% of individuals say that they would like to improve the security of their accounts and have already added extra layers of protection beyond a username and password.
However, 56% of individuals will only adopt new technologies that are easy to use and significantly improve account security. Here’s what is preferred: biometrics, security keys, and password-free login.
Passwordless methods are preferred
A majority of IT security respondents and individuals (55%) would prefer a method of protecting accounts that doesn’t involve passwords. Both IT security (65%) and individual users (53%) believe the use of biometrics would increase the security of their organization or accounts.
And lastly, 56% of individuals and 52% of IT security professionals believe a hardware token would offer better security.