In a world that’s more connected than ever, the landscape of cybersecurity threats is constantly evolving. Bad actors, now supercharged with artificial intelligence (AI), are becoming increasingly adept at exploiting human error through sophisticated phishing and social engineering attacks. This makes robust cybersecurity a universal issue, impacting everyone from individuals to the largest global enterprises.
To capture a snapshot of this reality, Yubico’s new 2025 Global State of Authentication survey polled 18,000 employed adults across nine countries (Australia, France, Germany, India, Japan, Singapore, Sweden, the UK, and the US), revealing notable gaps between the perception of security and the reality of modern vulnerabilities. The full global findings highlight a world struggling with outdated security habits and misconceptions revealing a critical need to bridge the divide between personal and workplace cyber hygiene.
While the global trends point to a concerning over-reliance on legacy authentication methods like usernames and passwords, a closer look at the data reveals fascinating differences in how various countries are navigating a new cyber landscape stemming from unique regional challenges. As we dive into international comparisons, it becomes clear that while the threat of cyber attacks like phishing is global, the path toward cyber resilience and a secure, phishing-resistant future is being paved at different speeds around the world.
The global pulse: A false sense of security driven by misconceptions
Across the board, there’s a troubling trend: many still trust the least secure methods of authentication. 26% of all respondents still believe a simple username and password is the most secure way to protect an account, while 41% place their trust in vulnerable SMS-based authentication. This is concerning, as most cyber attacks are the direct result of stolen login credentials. These misconceptions directly translate into risky behavior, with 60% of respondents using usernames and passwords for personal accounts and 56% for work accounts.
This over-confidence is a global phenomenon: 84% of employees who acknowledge that security measures differ by role within their company still feel their company’s cybersecurity is as secure as it should be. This suggests a widespread failure to recognize that inconsistent security is, by definition, weak security. An attacker only needs one weak link, and when security differs by role, it leaves multiple entry points for bad actors to exploit.
A tale of two continents: Europe’s cautious approach vs. US growing confidence
When we examine the country-specific data, a compelling narrative emerges. European nations like France and Germany show a more cautious – and in some ways, more realistic – view of cybersecurity, while the US exhibits a blend of high-tech adoption and high-risk habits.
One of the most notable stats from this year’s survey comes from France: In 2024, only 29% of respondents used MFA for their personal accounts, but this year, that number has skyrocketed to 71%. This represents a massive shift in personal cybersecurity practices, suggesting growing awareness of cybersecurity and that French users are rapidly embracing more secure login methods as a result. However, French users show the highest reliance on insecure legacy forms of MFA like SMS-based authentication for both personal (46%) and work (36%) accounts among the surveyed European countries.
Germany shares similar trends, with German employees being the least likely to use personal devices for work without their company’s knowledge: 58% stated they only use work-permitted devices – well above the global average of 46%. Yet, they also lag in corporate security measures; only 40% report their companies use MFA across all services, one of the lowest rates surveyed.
Contrast this with the United States, where there is a greater embrace of modern technology – but a more relaxed attitude toward security boundaries. The US leads in the adoption of device-bound passkeys (18% for work, 16% for personal). Despite this, US employees are among the most likely to blur the lines between work and home.
Over half of US employees (58%) use personal devices for work – a notable 8% higher than the global average, creating significant new attack vectors. US respondents also reported the highest incidence of compromised passwords across nearly every category.
Asia-Pacific and India: Leading the charge in a high-threat environment
The survey data from the Asia-Pacific region reveals a hyper-aware, rapidly adapting workforce. In India, there is a pronounced understanding of the modern threat landscape. Indian respondents are the most likely to believe their personal accounts are well-protected (77%) and feel their company has their best cybersecurity interests in mind (49%). This confidence appears rooted in action: India reports the highest rate of corporate MFA adoption across all apps and services (72%) and the highest familiarity with passkeys, with 47% saying they are “very familiar” with them.
This proactivity may be born from necessity – respondents in India also report the highest rates of password compromise for social media (39%), online retailers (19%) and banking apps (19%). They have clearly experienced the consequences of weak security firsthand and are now leading the global charge in adopting stronger measures.
Singapore also stands out for its high adoption of MFA for personal accounts (78%) and strong corporate cybersecurity training programs (64% of employees have received training). This focus on education appears to be paying off, as it contributes to more robust security practices overall.
AI apprehension: From mild concern to major alarm
Concern over AI-driven cyber threats is rising globally, but the intensity of this anxiety varies widely by country. Japanese respondents showed the most dramatic shift, with the percentage of those concerned about AI’s impact on their security jumping from 31% in 2024 to 74% in 2025. Similarly, Sweden saw a sizable leap in concern – from 37% to 68%.
In contrast, while concern also grew in Western countries, it was from a much higher starting point. In the UK, apprehension rose from 61% to 81% – and in the US, from 61% to 77%. This suggests that while awareness of AI threats is becoming universal, countries like Japan and Sweden are seeing the concern rise particularly more recently in their respective regions.
Interestingly, this heightened awareness doesn’t always translate into knowledge and recognition of AI. When presented with sample emails – one generated by AI and the other written by a person – 44% of French and 47% of German respondents believed an AI-written message was from AI, compared to just 43% in the US and 45% in the UK. This may indicate a greater sensitivity or familiarity in continental Europe with the nuances of AI-generated text.
The universal challenge: Passkey education
While usernames and passwords are an outdated and insecure form of authentication, they remain the most common login method for both work (56%) and personal (60%) accounts globally. Despite promising signs of MFA adoption in some regions, one theme is universal: a general lack of knowledge (and adoption) of passkeys. Even in tech-forward countries, a significant portion of the population remains unaware of this phishing-resistant technology.
Globally, 45% of those who have never used a passkey said it was because they had never heard of them. This was most pronounced in France, with 44% of respondents having never used a passkey – and a surprising 65% also never having heard of them. This remains a significant barrier everywhere; this is not an issue of technological complexity, but one of education and awareness. Enterprises and service providers have a clear mandate: educate users on what passkeys are and why they represent a monumental leap forward in securing our digital lives.
However, belief in which methods are most secure is shifting, particularly in the UK and US. In the UK, confidence in hardware security keys and passkeys as the most secure option surged 20% from 17% in 2024 to 37% in 2025. The US saw similar growth, rising from 18% to 34%. This marks a significant and encouraging trend toward recognizing the gold standard of phishing-resistant MFA.
This growing confidence is mirrored in passkey familiarity. In the US and UK, 35% and 33% of users, respectively, describe themselves as “very familiar” with passkeys, using them often. This stands in stark contrast to France, where only 9% feel the same level of comfort.
Germany sits somewhere in the middle, showing strong confidence in hardware security keys (37%) but lagging slightly behind the US and UK in “very familiar” passkey users (23%). The data points to a clear opportunity for education, especially in countries like France, where awareness appears to be the primary barrier to adopting stronger security.
Moving toward a phishing-resistant future
The results of our 2025 Global State of Authentication survey highlight behaviors and trends that reveal need for improvement, especially with how widely passwords and legacy authentication continue to be used. However, the needle is moving toward better cybersecurity practices globally. Growing awareness of rising cyber threats like phishing powered by AI and increased adoption of MFA and passkeys in key regions shows that change is possible – and that a passwordless, phishing-resistant future is coming.
The time is now to make meaningful progress toward achieving this goal. To truly secure our interconnected world and move toward cyber resilience, organizations and individuals around the world must focus on key areas, including:
- Prioritize education. To move toward a passwordless, phishing-resistant future, closing the knowledge gap around cybersecurity is paramount. Organizations must educate employees on why legacy authentication methods are phishable, and why hardware-backed passkeys offer the strongest protection available against modern cyber attacks like phishing.
- Organizations need to equip all users with phishing-resistant MFA, making portable hardware security keys the standard for highest-assurance security. Companies must move beyond legacy systems and adopt modern, phishing-resistant MFA across all applications for all employees, regardless of role or title
- Eliminate inconsistent security policies that create weak points for attackers. Every employee, regardless of role, is a target and needs the same high level of protection.
Our digital lives at work and home are no longer separate, and our approach to security can no longer afford to be fragmented. By understanding the global and regional nuances in behavior and perception, we can better tailor our strategies and behaviors to close the cybersecurity gaps – and make the internet safer for everyone.
To see the full Global State of Authentication survey results, check out our press release here. For a breakdown of the results, see the full report here and infographic here.
Find these results interesting? Learn how your business can tackle challenges with phishing-resistant YubiKeys and contact our team here.
