Old authentication habits die hard

Many organizations still rely on weak authentication methods while workers’ personal habits create additional risks, according to Yubico.

Training and policy gaps

40% of employees said they have never received cybersecurity training. Even among those who have, the guidance is often outdated because many organizations wait months before updating their security policies. This delay leaves people unprepared. Employees who do not understand current risks are more likely to fall back on familiar habits, which attackers can exploit.

Old methods still dominate

Passwords remain the most common form of authentication across companies. SMS codes are also widespread. Both methods are vulnerable to phishing, credential theft, and social engineering, yet many workers continue to view them as trustworthy.

The survey suggests that employee perception plays a major role in shaping policy. If staff believe these methods are strong, organizations often keep supporting them even though more secure options exist. Stronger tools such as device-bound passkeys, which store credentials on a physical device and resist phishing, are available but still rarely deployed.

Personal and work habits overlap

Employees frequently mix personal and professional activity on the same devices. Workers often log into personal email on company laptops, or check work accounts on personal phones. In many cases, MFA is not enabled on personal accounts, which creates a weak point that attackers can use to gain a foothold. A notable portion of employees say they avoid MFA because they see it as complicated or time-consuming. Others simply are not familiar with the options available.

Because personal and work security habits often look the same, attackers can exploit stolen personal credentials in a professional context. A compromise at home can become a compromise at work without ever touching the corporate perimeter directly.

Generational data suggests that adoption may rise in the future, since younger workers are more comfortable with newer authentication technologies. For now, though, the gap between awareness and action remains wide.

AI shifts the threat landscape

Most respondents said they now believe their accounts are at greater risk because of AI tools. Attackers can use AI to create realistic phishing emails, produce fake websites, or even generate audio and video that mimic trusted colleagues. This reduces the time and skill required to run large-scale attacks.

The study also tested people’s ability to recognize AI-generated text. Most respondents struggled, with many misidentifying human writing as machine-made and vice versa. This shows how difficult it has become for users to rely on intuition when deciding whether a message is legitimate.