As user credentials continue to be a top vector for cyberattacks, organizations are under tremendous pressure to rethink the effectiveness of current authentication initiatives, according to SecureAuth.
Additionally, cyber insurance carriers are requiring companies to demonstrate strong controls over authentication before they will provide any cyber insurance coverage or pay higher premiums.
Although respondents agree that traditional MFA is better than nothing, they are most concerned with its susceptibility to cyberattacks (54%) and the friction it creates for users (30%).
MFA authentication effectiveness
IT and security professionals are worried about the security risks of traditional MFA, with 55% reporting that relying on one-time passwords (OTP) using texts and phone calls leaves them open to cyberattacks.
Only an alarming 5% of respondents are very confident that traditional MFA can combat credential related cyberattacks while 40% are somewhat confident. An additional 21% feel traditional MFA cannot be used as an effective hacker deterrent because user adoption rates are too low.
And over half of those surveyed are either not sure or concerned that their organization will lose cyber insurance coverage if they continue with traditional MFA.
Moving to a passwordless environment
On the question about moving to a passwordless environment, a whopping 65% are planning on implementing passwordless technologies in the next 24 months. Nearly a third are planning to do so in the next six months, and another third are looking at the 12-24 month horizon.
“In FIDO Alliance’s 2022 Online Authentication Barometer report, we found that password usage was down, however 70% of people still had to recover a password at least once in a given month,” stated Andrew Shikiar, Executive Director and CMO of FIDO Alliance.
“Although companies are offering more ways to authenticate such as legacy MFA solutions, these technologies are still easily exploitable with ‘MFA bombing’, ‘man-in-the-middle’, and other attacks. SecureAuth’s State of Authentication Report further validates that it is time for organizations to move beyond legacy forms of MFAs and onto passwordless technologies,” Shikiar added.
Authentication security is a top priority
84% of respondents consider authentication and access management as a top 5 security priority.
Bottom line: These results demonstrate the importance of authentication and access management for IT and security teams in an extremely crowded market and threat landscape.
Multiple Identity Providers (IdPs) are common
76% of respondents use multiple IdPs, a surprising trend in contrast to the usual consolidation of cybersecurity tools. The respondents highlighted high-availability / failover, unique use case requirements, and preferred best of breed approach reasons.
Bottom line: As over 80% of cyberattacks focus on credentials, practitioners need to have a back-up system in case their primary IdP product goes down or is compromised by an attack.
Device trust is woefully underused
Device trust isn’t used at all according to 25% of the respondents. And under 50% of respondents use it for mobile security while only 25% use it for safeguarding Mac workstations.
Bottom line: Organizations are missing a simple, but effective way to improve their security posture by not using device trust as the start of every user’s digital journey.
“Many organizations are making steady progress in protecting customer and employee accounts and credentials from malicious activity,” stated Paul Trulove, CEO of SecureAuth.
“However, based on this survey, it’s clear that traditional authentication approaches, which are dependent on legacy MFA, have not kept up with adversarial advancements, and more needs to be done to ensure credentials are safe from cyberattacks. It’s reassuring to see that an overwhelming number of organizations are planning to implement passwordless authentication technology within the next two years. But passwordless is not enough. Organizations need to move towards continuous authentication that manages a user’s entire digital journey from pre-authentication to post-authorization to be truly secure and provide users with a frictionless experience,” Trulove concluded.