In a world that’s more connected than ever before, cyber attacks are more rampant than ever with bad actors continuing to take advantage of human error. Despite ongoing advancements in security technologies and processes, it continues to be fairly simple to compromise user credentials through phishing and social engineering attacks are made even easier with the advancements of AI, deepfakes, and voice cloning. Simply put, cybersecurity is no longer just a concern for IT departments or tech-savvy individuals – it’s an issue that impacts everyone.
As individuals and enterprises alike face this world-wide challenge head on, Yubico’s new Global State of Authentication Survey captures the current state of cybersecurity in the form of a unique snapshot of how individuals and businesses around the world are tackling authentication. The survey results highlight the alarming gaps in personal and workplace cybersecurity, showing that many people underestimate their vulnerabilities. Visit here for a look and initial breakdown of the survey results.
To get a better understanding of the significant takeaways on the findings, we sat down with Derek Hanson, VP of standards and alliances at Yubico, to dive into the survey as a whole. In the interview below, Derek discusses what the broader impacts and trends are on individuals and businesses alike, and recommendations for both as we move toward a passwordless and phishing-resistant future. Derek will also be discussing the results in a live webinar with Yubico CMO Ronnie Manning on October 2 – be sure to register in advance.
What are your key takeaways on the survey findings this year?
For individuals, a finding that stuck out was that despite being the least secure form of authentication 39% of respondents still think username and password are the most secure and 37% think mobile SMS-based authentication are the most secure methods to login into their accounts. Related and not surprising is that 58% of respondents still use username and passwords to login to personal accounts and 54% use it to login to work accounts.
With most cyber attacks being a result of stolen login credentials, it’s concerning that so many people still rely on this outdated authentication method and it’s clear change is not just needed – it’s paramount to the future of a world that centers around the internet and living online.
Also interesting is the differences our study found between respondents’ cyber hygiene practices at work versus home. While organizations often try their best to implement stringent security protocols at work, our findings show respondents are falling behind in maintaining their own robust cybersecurity practices at home: 32% of respondents are not familiar enough with MFA to use it for their personal accounts and 22% don’t have the technical knowledge to use it at home. This gap leaves not only individuals’ personal data at risk, but also exposes employers to potential vulnerabilities.
The other thing I think is worth noting is that our survey found that 40% don’t think or aren’t sure if the online apps and services they are using are doing enough from a security standpoint to protect their data, accounts and personal information. This number is concerning, and I’d encourage people to reach out to different organizations and online service providers you frequently use – like financial institutions, social media sites or cloud providers – to offer support for modern MFA solutions like passkeys.
Were there any surprises or trends you expected to see?
Related to the point I just mentioned about apps and services doing enough to protect customer data, survey takers reported that they experienced breaches and compromised passwords on some of their most commonly used apps and services. These are the ones that hold their most confidential, financial, and personal information including: Social media accounts (44%), payment apps (24%), online retailer accounts (21%), messaging apps (17%), and banking apps (13%).
Unfortunately, many industries and environments are slow to adopt new technologies designed to protect employees, customers and their partners. These industries may not understand the nuances and can be restrained by regulatory environments. Financial services and healthcare organizations have historically been over-regulated, which has led them to stay stagnant in a password-based world. In order for any real change to happen, these industries need a sandbox they are allowed to play in to truly accept and adopt this technology.
The good news is there is impactful work being done on the federal level (such as NIST revising their identity guidelines in the U.S. and NIS2 in the EU) that will influence expanding definitions of what security solutions are acceptable – but that will continue to take time, and consumers will suffer as an expense in the meantime.
We’ve seen the adoption of passkeys take off over the past year globally. Based on the survey results, how do you expect to see current consumer behaviors impact passkey adoption over the next year?
We’ll continue to see in the short term that consumers will be hesitant to adopt multi-factor authentication (MFA) – primarily because their experience with MFA has traditionally been cumbersome and difficult. While better than no MFA at all, the reliance on SMS-based OTP as a primary MFA factor is dangerous.,SMS-based OTP is widely available and offered as a standard by organizations around the world and because of this customers are now accustomed to it. When we’re talking about consumer behavior, there is hesitancy to change or adopt anything else unless they see it in more places where they’re familiar with and respect.
The solution is clear: enable broad support for passkey authentication. Until broader adoption of modern MFA by organizations themselves happens, it will be an uphill battle for consumer adoption and changing of perceptions and habits. Like any new technology, passkey adoption will be slow – unless organizations begin to remove unsafe methods of authentication for users, like SMS OTP. It’s also important to prioritize following recommended guidelines around creating a good user experience that encourages users to enroll passkeys and educates them on the value to them as users.
What are the critical factors that will drive the continued adoption of modern MFA solutions among consumers and businesses alike?
Change is hard for people – regardless of what the action is. Modern MFA can seem confusing and difficult to understand for the general user. As previously mentioned, 32% stated they are not familiar enough with MFA to use it, and 22% don’t have the technical knowledge to use it. The good news is that this challenge is not difficult to overcome with the right effort by organizations to help educate and for individuals to take initiative to learn more.
Enterprises immediately understand the value in modern MFA solutions like passkeys because they see the immediate and real threat of their business coming to a halt due to a successful cyber attack. At the same time, consumers may not understand the threat until they experience a breach of their most personal, confidential information first hand.
Until people experience an attack first hand, it may continue to be a challenge for them to understand the importance of practicing good cyber hygiene and ultimately valuing passwordless offerings over the traditional offerings they’re comfortable using. However, just like seatbelt use being mandated in cars, everyone is resistant to needed change until they are encouraged to do so and have a better understanding of the risks for their own safety.
This is why we’ve seen an increased focus by governments around the world enforcing the use of modern, phishing-resistant MFA solutions like passkeys by organizations that work directly with the government. As these organizations become more comfortable using passkeys internally for their employees, I expect to see further efforts to expand the use of passkeys to the end users to further improve the security posture of everyone today to move on from passwords.
Why is it important for an organization to give the same level of security to all of its employees, ensuring each of them become a phishing-resistant user?
The prevalence of phishing attacks among organizations via tactics like social engineering calls to the helpdesk (among many other methods) can lead to a compromise of the account and the organization. Attackers can not only hijack the user registration process, but ongoing authentication and account recovery processes in the event of a lost or stolen device. The way an organization must establish and manage a user’s identity credential throughout its lifecycle has to evolve to address these increasing challenges.
In order to truly prevent phishing attacks, organizations must do more than just invest in phishing-resistant authentication – they must instead focus on developing phishing-resistant users. Phishing-resistant users is not just a reactive measure, but a proactive organizational strategy aimed at removing the risk of phishing by eliminating all phishable events from the entire user lifecycle.
When looking at the security aspect of onboarding employees, our survey found that over 1/3 (34%) of respondents said they did not receive instructions to secure their work accounts with more than just a username and password when they first started at the company they work for. Despite the fact that every employee in an organization is a potential target, 41% said security measures and requirements differ based on role and title at their company, leaving room for bad actors to infiltrate within several levels of an organization.
The phishing problem is an enterprise-wide problem – everyone in an organization is susceptible to getting phished. It’s not just stolen login credentials, either: an attacker can also install software on your computer and get a foothold for a ransomware attack. This means every user in an organization needs to have phishing-resistant authentication implemented everywhere, and employees themselves must effectively become phishing-resistant users.
Based on what the survey revealed, what are your top tips for individuals and businesses to stay secure from increasingly sophisticated cyber attacks like phishing?
Though there is a lot of overlap between both, the survey results highlight different key takeaways for businesses and individuals. As mentioned, organizations need to be more proactive when it comes to education on modern MFA for their employees and users – while also offering these more secure security solutions for people to take control of their own security. Doing so fosters the ability to create phishing-resistant users – and therefore phishing-resistant enterprises – by implementing the following across all users:
- To achieve maximum security, equip all users with phishing-resistant MFA and deploy purpose-built and portable hardware security keys as the primary authenticator.
- Establish phishing-resistant account registration and user recovery procedures for all, utilizing purpose-built and portable hardware security keys as the foundation for the highest-assurance security.
- Employ technology-driven solutions that minimize the reliance on user education, while also providing essential education on the principles and benefits of phishing-resistant MFA for both corporate and personal use.
For individuals, it’s critical to be more proactive when it comes to caring about your digital life and securing your most important information online. Not only does this mean becoming more educated on cybersecurity tools available, but it may require you reaching out to your employer or favorite businesses to ask them to add support for more secure authentication solutions like passkeys. Additional important steps include:
- Check all of your frequently used online accounts and wherever possible, enable those accounts to use MFA to make it harder for phishing attacks to succeed. A hardware security key like a YubiKey, the gold standard for phishing-resistant MFA, works across hundreds of applications and services, providing strong security across multiple accounts.
- Be vigilant: Always check the email sender address to confirm if it is coming from the respective business or entity they are claiming to be from. If you receive a suspicious email or text message and are still unsure if it is legitimate, directly contact the organization to confirm that the claims or statements are accurate.
- Ensure you’re using a password manager
At the end of the day, every individual needs to understand that their own security is in their control – and there are solutions out there to ensure you are truly securing your digital life.
——
To see the full results of Yubico’s new Global State of Authentication Survey, visit our press release here. For a further breakdown of the survey, be sure to join us in an upcoming webinar with Derek and Yubico CMO Ronnie Manning on October 2 at 10am PT – register in advance here: 2024 State of Global Authentication: Tackling Cyberthreats at Work & Home.