New study from Yubico reveals now is the time to move from legacy authentication to modern, phishing-resistant MFA

Study finds 59% of enterprises report experiencing a data breach last year, yet 91% are still relying on usernames and passwords as their form of authentication

SANTA CLARA, CA and STOCKHOLM, SWEDEN – April 25, 2023 – Yubico, the leading provider of hardware authentication security keys, today at RSA Conference in San Francisco unveiled the results of a new research report conducted by S&P Global Market Intelligence. Commissioned by Yubico, the report surveyed over 500 IT leaders in the US and Canada and explored the top multi-factor authentication (MFA) trends among businesses today and the critical forces shaping authentication – including the impacts of government and regulatory compliance. This report is a sequel to a previous study that the companies conducted in 2021 and demonstrates how sentiments and behaviors have shifted when it comes to the adoption of MFA. 

Over the last two years, respondents reported a continued reliance on the least secure forms of authentication, including traditional usernames and passwords and one-time passwords (OTPs). This is surprising considering 59% of respondents reported having a security breach within the past year – up 6% from just two years ago. Additionally, the report revealed a significant increase in MFA deployment for customers, which jumped to 57% from 45% (a 12% increase). 

“Not all MFA is equal, and even though businesses know legacy MFA tools are not effective to stay secure, we’re seeing they’re still using them as primary tools of defense,” said Ronnie Manning, chief marketing officer, Yubico. “Now more than ever, education around the importance of phishing-resistant MFA is critical to officially move away from legacy MFA tools that are leaving thousands of businesses exposed to cyberattacks around the world.”                                                                                                                                                                                                                                                                                                                                                                                        

The survey highlighted many additional key findings, including:

  • Only 46% of respondents protect their enterprise applications with MFA  
  • Nearly 74% have some level of concern about the security of SMS or push-based authentication
  • In general, the least secure methods of authentication such as passwords and SMS-based MFA are deployed most frequently
    • Username and password ranks at the top with 91% response selection, while hardware-based USB security keys (62%), biometrics (59%) passwordless MFA (58%) and smart cards (58%) are the least deployed
  • Nearly three-fourths (69%) of respondents have some level of concern about the security of SMS or push-based authentication

“These survey results show a clear disconnect between the reality we’re facing of constant rising threats of sophisticated cyberattacks like phishing, and the actions that businesses are taking to stay secure,” said Manning. “There remains a considerable gap between the security and useability tradeoff of MFA tools, and this is highlighted by some confusion regarding phishing-resistant MFA and how the most secure tools like security keys can actually offer the best balance of cost savings and ease-of-use.”

The survey also revealed critical forces shaping authentication and a foundation for the adoption of modern MFA, including the Executive Order (EO) on Cybersecurity issued by President Biden in May of 2021 in response to the US Office of Management and Budget issued Memo M-22-09. Nearly two-thirds (64%) have heard of the White House EO and related OMB guidance regarding phishing-resistant MFA and 91% of respondents report being familiar with FIDO standards. It’s clear that many organizations have responded to the call for more secure forms of authentication, but there is still a need to spread awareness and increase education around phishing-resistant MFA overall.

To see the results of the survey and download the report, visit here. Learn more about the YubiKey and phishing-resistant MFA here. If you’re attending the RSA Conference, be sure to stop by Yubico’s booth S-4300 Moscone South.

About the study

The report was commissioned by Yubico and its findings presented in this report draw on a North American survey fielded in December 2022/January 2023. Respondents were based in the United States and Canada in company sizes of 500+ FTE. The survey targeted senior professionals and executives in IT security, compliance, and cyber risk. All respondents were screened for being involved in their organization’s purchase of security products and knowledgeability about MFA. Respondents were from the following industries: Education, Financial Services, Public Sector, Healthcare, Hospitality, Manufacturing, Media, Professional Services, Retail, Technology, Transportation and Logistics. This report also draws on contextual knowledge of additional research conducted by S&P Global Market Intelligence.

About Yubico

Yubico, the inventor of the YubiKey, makes secure login easy and available for everyone. Since the company was founded in 2007, it has been a leader in setting global standards for secure access to computers, mobile devices, servers, browsers, and internet accounts. Yubico is a creator and core contributor to the FIDO2, WebAuthn, and FIDO Universal 2nd Factor (U2F) open authentication standards, and is a pioneer in delivering modern, hardware-based authentication security at scale. 

YubiKeys are the gold standard for phishing-resistant multi-factor authentication (MFA), enabling a single device to work across hundreds of consumer and enterprise applications and services. Yubico’s technology enables secure authentication, encryption, and code signing and is used and loved by many of the world’s largest organizations and millions of customers in more than 160 countries. 

Aligned with its mission of making the internet more secure for everyone, Yubico donates YubiKeys to organizations helping at-risk individuals through the philanthropic initiative, Secure it Forward. Yubico has presence around the globe and offices in Santa Clara, San Francisco, Seattle area, and Stockholm. For more information, please visit: www.yubico.com

Contact information:

Ryan Schin or Katelyn Martin

press@yubico.com

Share this article: