While MFA adoption and spending is on the rise, organizations are still unclear on best practices and methodologies, Yubico and 451 Research reveal.
The findings show that MFA adoption and spending has increased within the enterprise due to a confluence of several factors: the growing recognition that stolen credentials and phishing attacks are at the root of most security breaches; the rise of work-from-home (WFH) policies due to the COVID-19 pandemic; and the adoption of modern authentication standards such as Fast Identity Online (FIDO) U2F, FIDO2 and WebAuthn that underpin new advances in two-factor (2FA) and passwordless authentication.
Barriers to more widespread MFA usage
However, the research also highlights a variety of barriers to more widespread MFA usage such as inconvenience, complexity, and cost. Furthermore, many enterprises remain largely unaware of the security defects found within more common mobile MFA form factors such as SMS-based authentication, which has been widely deprecated for years.
“The pandemic and the move to cloud-based office applications has been a turning point for enterprises to implement and modernize their multi-factor authentication,” said Stina Ehrensvärd, CEO, Yubico.
“What this research shows is that while there is an appetite for strong security with an elegant user experience, many companies stick with less effective old habits and technologies.”
MFA investment increase
MFA spending trends are encouraging with 74% of four respondents planning to increase spending on MFA. It was the top security technology to be adopted due to COVID-19 and the subsequent migration to WFH (49%).
MFA adoption as a response to breaches
53% of all respondents have experienced a security incident or breach in the past year and MFA was among the top three security technologies adopted as a response to a security breach.
Obstacles to MFA adoption
Increased security is the number one reason enterprises are adopting MFA, with 57% of respondents reporting as much. User experience (43%), complexity (41%), and cost (36%) are still the main obstacles to MFA adoption, which comes as no surprise.
These challenges have long been common complaints about MFA, even though modern authentication technologies such as biometrics and security keys have been proven to provide better security and usability than legacy MFA technologies.
Most popular MFA form factors
Despite the increase in security vulnerabilities for mobile and SMS-based MFA, mobile OTP authenticators (58%), mobile push-based MFA (48%), and SMS-based MFA (41%) are among the most popular MFA form factors other than passwords. This reveals that enterprises may still perceive mobile MFA as being more user-friendly and accessible than other MFA options and are prioritizing user experience over security benefits despite reporting otherwise.
Many orgs still relying on SMS-based authentication
Many organizations still rely heavily on SMS-based authentication, but only 22% perceive security of this form factor as an issue despite growing evidence of breaches and attacks exploiting mobile or SMS-based authentication methods.
Privileged users most likely to use MFA
Enterprises are stopping at privileged users when it comes to usage of MFA but time and time again breaches are showing that lower-level employees can leave an organization vulnerable by being a ‘way in’ for adversaries. The research shows that privileged users and third parties (contractors, consultants, partners) are the most likely to use MFA, while end customers are the least likely.
FIDO2 and passwordless gaining momentum
FIDO2 and passwordless authentication are gaining momentum as ways to address traditional MFA pain points as 61% of the organizations surveyed have either deployed or have passwordless authentication in pilot (34% of respondents have already deployed passwordless technology, 27% in pilot).