New study from Yubico reveals now is the time to move from legacy authentication to modern, phishing-resistant MFA

Study finds 59% of enterprises report experiencing a data breach last year, yet 91% are still relying on usernames and passwords as their form of authentication

SANTA CLARA, CA and STOCKHOLM, SWEDEN – April 25, 2023 – Yubico, the leading provider of hardware authentication security keys, today at RSA Conference in San Francisco unveiled the results of a new research report conducted by S&P Global Market Intelligence. Commissioned by Yubico, the report surveyed over 500 IT leaders in the US and Canada and explored the top multi-factor authentication (MFA) trends among businesses today and the critical forces shaping authentication – including the impacts of government and regulatory compliance. This report is a sequel to a previous study that the companies conducted in 2021 and demonstrates how sentiments and behaviors have shifted when it comes to the adoption of MFA. 

Over the last two years, respondents reported a continued reliance on the least secure forms of authentication, including traditional usernames and passwords and one-time passwords (OTPs). This is surprising considering 59% of respondents reported having a security breach within the past year – up 6% from just two years ago. Additionally, the report revealed a significant increase in MFA deployment for customers, which jumped to 57% from 45% (a 12% increase). 

“Not all MFA is equal, and even though businesses know legacy MFA tools are not effective to stay secure, we’re seeing they’re still using them as primary tools of defense,” said Ronnie Manning, chief marketing officer, Yubico. “Now more than ever, education around the importance of phishing-resistant MFA is critical to officially move away from legacy MFA tools that are leaving thousands of businesses exposed to cyberattacks around the world.”                                                                                                                                                                                                                                                                                                                                                                                        

The survey highlighted many additional key findings, including:

  • Only 46% of respondents protect their enterprise applications with MFA  
  • Nearly 74% have some level of concern about the security of SMS or push-based authentication
  • In general, the least secure methods of authentication such as passwords and SMS-based MFA are deployed most frequently
    • Username and password ranks at the top with 91% response selection, while hardware-based USB security keys (62%), biometrics (59%) passwordless MFA (58%) and smart cards (58%) are the least deployed
  • Nearly three-fourths (69%) of respondents have some level of concern about the security of SMS or push-based authentication

“These survey results show a clear disconnect between the reality we’re facing of constant rising threats of sophisticated cyberattacks like phishing, and the actions that businesses are taking to stay secure,” said Manning. “There remains a considerable gap between the security and useability tradeoff of MFA tools, and this is highlighted by some confusion regarding phishing-resistant MFA and how the most secure tools like security keys can actually offer the best balance of cost savings and ease-of-use.”

The survey also revealed critical forces shaping authentication and a foundation for the adoption of modern MFA, including the Executive Order (EO) on Cybersecurity issued by President Biden in May of 2021 in response to the US Office of Management and Budget issued Memo M-22-09. Nearly two-thirds (64%) have heard of the White House EO and related OMB guidance regarding phishing-resistant MFA and 91% of respondents report being familiar with FIDO standards. It’s clear that many organizations have responded to the call for more secure forms of authentication, but there is still a need to spread awareness and increase education around phishing-resistant MFA overall.

To see the results of the survey and download the report, visit here. Learn more about the YubiKey and phishing-resistant MFA here. If you’re attending the RSA Conference, be sure to stop by Yubico’s booth S-4300 Moscone South.

About the study

The report was commissioned by Yubico and its findings presented in this report draw on a North American survey fielded in December 2022/January 2023. Respondents were based in the United States and Canada in company sizes of 500+ FTE. The survey targeted senior professionals and executives in IT security, compliance, and cyber risk. All respondents were screened for being involved in their organization’s purchase of security products and knowledgeability about MFA. Respondents were from the following industries: Education, Financial Services, Public Sector, Healthcare, Hospitality, Manufacturing, Media, Professional Services, Retail, Technology, Transportation and Logistics. This report also draws on contextual knowledge of additional research conducted by S&P Global Market Intelligence.

About Yubico

Yubico, the inventor of the YubiKey, makes secure login easy and available for everyone. Since the company was founded in 2007, it has been a leader in setting global standards for secure access to computers, mobile devices, servers, browsers, and internet accounts. Yubico is a creator and core contributor to the FIDO2, WebAuthn, and FIDO Universal 2nd Factor (U2F) open authentication standards, and is a pioneer in delivering modern, hardware-based authentication security at scale. 

YubiKeys are the gold standard for phishing-resistant multi-factor authentication (MFA), enabling a single device to work across hundreds of consumer and enterprise applications and services. Yubico’s technology enables secure authentication, encryption, and code signing and is used and loved by many of the world’s largest organizations and millions of customers in more than 160 countries. 

Aligned with its mission of making the internet more secure for everyone, Yubico donates YubiKeys to organizations helping at-risk individuals through the philanthropic initiative, Secure it Forward. Yubico has presence around the globe and offices in Santa Clara, San Francisco, Seattle area, and Stockholm. For more information, please visit: www.yubico.com

Contact information:

Ryan Schin or Katelyn Martin

press@yubico.com

Share this article:


  • Ditching passwords for good: Celebrating the inaugural World Passkey DayHave you ever been stuck in a relationship with someone who constantly lets you down, exposes your secrets, and leaves you vulnerable? Odds are you cut your losses, packed up your things and moved on. Today is the day to do the same with your passwords: say goodbye forever! The reality is a majority of […]Read morepasskeyspasswordlessWorld Passkey Day
  • Digital security’s unique role in protecting our environmentAs sustainability expands to include social, economic, and technological challenges, cybersecurity has emerged as a top global threat – with cybercrime projected to cost $12 trillion this year. Stolen credentials and phishing account for 80% of breaches. At Yubico, making the world more secure is just part of how we care for the world around […]Read moreCSREarth DaySecure It ForwardSustainability
  • Breaking down Australia’s plan to combat AI-driven phishing scamsAcross Australia, cybercrime continues to be a major challenge impacting businesses, critical infrastructure and consumers alike. The use of AI by bad actors across the spectrum of cybercrime is on the rise, and as a result, credential phishing scams are becoming increasingly sophisticated. AI is effectively helping to lower the cost of phishing and increase […]Read moreAIAPACAustraliaphishing
  • 5 fast cybersecurity tips to clean up your digital lifeWith today being Identity Management Day, now is the perfect time to take stock of your online presence, update security settings, and ensure that your personal data remains protected from cyber threats like phishing. We’re also seeing increasing concerns of DeepSeek and other AI tools around data privacy making these kinds of attacks more successful […]Read morebest practices