Traditional MFA is creating a false sense of security

A report from HYPR and Cybersecurity Insiders, reveals that despite the zero trust initiative, many organizations are still highly exposed to credential attacks due to insufficient multi-factor authentication (MFA) methods and overall lack of urgency after potential exposure. In fact, 64% of those hacked did not enhance or improve their authentication controls following the attack.

The findings also revealed that the perpetual cyber risk of remote work continues to drive passwordless adoption amongst organizations on a global scale.

The report includes insights from more than 400 security and information technology professionals. It uncovers the state of conventional and passwordless authentication, key drivers, and barriers to adoption as well as overarching technology preferences, based on data from Cybersecurity Insider’s 500,000-member community.

Despite breaches, organizations fail to improve their authentication processes

A key finding from the report highlighted that 89% of survey respondents experienced a phishing attack against their organization in 2021, and 34% experienced credential stuffing, a 17% uptick from the same survey conducted last year.

Responses indicated a 33% rise in push attacks, with 12% of organizations reporting weaponized push notifications as the method of hack – revealing the continued target on remote employees. Despite the increasing number of breaches, only 35% believe their current authentication solution is fully secure. Additionally:

• 64% of those hacked did not enhance or improve their password-based authentication controls following the attack
• 65% of those that claim to be passwordless continue to employ methods based in secret-sharing, such as SMS or one-time password (OTP); 19% are unsure whether their solution is truly “passwordless”

“Organizations are grappling to implement a solid security strategy to meet regulations, and to ensure customer confidence, all while responding to a forever-hovering pandemic that’s leaving their teams understaffed and overworked. Many of these organizations are relying on traditional authentication methods to tick a box in the hopes it protects them against the next breach; instead, what our report reveals is that traditional MFA is creating a false sense of security,” said Bojan Simic, CEO and CTO of HYPR.

“Yet, we are seeing an uptick in awareness and understanding of the need to go beyond MFA and the overall benefits of passwordless authentication, especially in sectors such as finance and insurance. As organizations continue to roll out their zero trust programs, we can expect passwordless MFA to be a critical component of any security framework.”

Traditional MFA methods falling short for most organizations

Multi-factor authentication spending and overall adoption is on the rise, following regulatory pressures from global initiatives, specifically the zero trust IT security model – but reluctance remains prominent.

49% cite poor user experience as a major obstacle for traditional MFA adoption, closely followed by 48% stating lack of system interoperability and integration, and cost rounding out the top three with 42%. In terms of password-MFA, many deemed the method as more of a burden, creating a greater impact on overall productivity. For example, 63% shared they were unable to access work critical information after failing to remember a password.

“Peace of mind in your IT security comes from knowing that you’re doing everything you can to ensure your network is protected. Security measures like ensuring you have MFA at every entry point, a password policy that enforces strong end-user compliance, and regular monitoring of your system are all vital steps to trusting your network is secure. Once you’re actually hacked, it’s vital to take what you know about your vulnerabilities and implement new safety measures to make sure it doesn’t happen again,” Darren Siegel, cyber security expert at Specops Software, told Help Net Security.

“Some easy one-off implementations include checking for breached passwords, encouraging the use of longer passwords, and getting started with a zero-trust model of network privileges. I’d recommend starting off with an audit for breached passwords using Specops Password Auditor to get a feel for how your password security stacks up and where you can begin to implement improvements,” Siegel concluded.

Organizations understand the need to go passwordless

In response to the damaging cyberattacks of 2021, coupled with work from home becoming a permanent option, more organizations are shifting to passwordless MFA. In fact, 25% of small-to-medium businesses (SMBs) and similarly 34% of enterprises that kickstarted a passwordless initiative in 2021 with HYPR, were in the finance and insurance sector. The manufacturing sector was the second-largest adopter at 13%.

82% of the respondents believe strengthening their authentication security program is the major driver for passwordless MFA adoption. Contrary to traditional MFA, improved user experience followed as the second most important factor at 67% – a 5% increase from the previous year. Meeting regulatory compliance was also of notable importance at 40%. Additionally, of those companies that are passwordless:

• Remote employees are the primary users of passwordless methods (86%).
• Onsite employees follow closely at 73%, demonstrating that many organizations are employing a hybrid work model.