PALO ALTO, CA and STOCKHOLM, SWEDEN – February 19, 2020 – Yubico, the leading provider of hardware authentication security keys, today announced results of the company’s second annual State of Password and Authentication Security Behaviors Report, conducted by the Ponemon Institute. Ponemon Institute surveyed 2,507 IT and IT security practitioners in Australia, France, Germany, Sweden, United Kingdom, and United States, as well as 563 individual users.
Findings from last year’s study show that IT security practitioners are aware of good habits when it comes to strong authentication and password management, yet often fail to implement them due to poor usability or inconvenience. This year’s 2020 State of Password and Authentication Security Behaviors Report evaluates whether or not that has changed, and provides data to better understand security practices and preferences between IT security practitioners and the end users they serve.
The conclusion is that IT security practitioners and individuals are both engaging in risky password and authentication practices, yet expectation and reality are often misaligned when it comes to the implementation of usable and desirable security solutions. The tools and processes that organizations put in place are not widely adopted by employees or customers, making it abundantly clear that new technologies are needed for enterprises and individuals to reach a safer future together.
“IT professional or not, people do not want to be burdened with security — it has to be usable, simple, and work instantly,” said Stina Ehrensvärd, CEO and Co-Founder, Yubico. “For years, achieving a balance between high security and ease of use was near impossible, but new authentication technologies are finally bridging the gap. With the availability of passwordless login and security keys, it’s time for businesses to step up their security options. Organizations can do far better than passwords; in fact, users are demanding it.”
Key findings from this research include:
- Individuals report better security practices in some instances compared to IT professionals. Out of the 35% of individuals who report that they have been victim of an account takeover, 76% changed how they managed their passwords or protected their accounts. Of the 20% of IT security respondents who have been a victim of an account takeover, 65% changed how they managed their passwords or protected their accounts. Both individuals and IT security respondents have reused passwords on an average of 10 of their personal accounts, but individual users (39%) are less likely to reuse passwords across workplace accounts than IT professionals (50%).
- Fifty-one percent of IT security respondents say their organizations have experienced a phishing attack, with another 12% of respondents stating that their organizations experienced credential theft, and 8% say it was a man-in-the-middle attack. Yet, only 53% of IT security respondents say their organizations have changed how passwords or protected corporate accounts were managed. Interestingly enough, individuals reuse passwords across an average of 16 workplace accounts and IT security respondents say they reuse passwords across an average of 12 workplace accounts.
- Additionally, mobile use is on the rise. Fifty-five percent of IT security respondents report that the use of personal mobile devices is permitted at work and an average of 45% of employees in the organizations represented are using their mobile device for work. Alarmingly, 62% of IT security respondents say their organizations don’t take necessary steps to protect information on mobile phones. Fifty-one percent of individuals use their personal mobile device to access work related items, and of these, 56% don’t use two-factor authentication (2FA).
- Given the complexities of securing a modern, mobile workforce, organizations struggle to find simple, yet effective ways of protecting employee access to corporate accounts. Roughly half of all respondents (49% of IT security and 51% of individuals) share passwords with colleagues to access business accounts. Fifty-nine percent of IT security respondents report that their organization relies on human memory to manage passwords, while 42% say sticky notes are used. Only 31% of IT security respondents say that their organization uses a password manager, which are effective tools to securely create, manage, and store passwords.
- IT security respondents say they are most concerned about protecting customer information and personally identifiable information (PII). However, 59% of IT security respondents say customer accounts have been subject to an account takeover. Despite this, 25% of IT security respondents say their organizations have no plans to adopt 2FA for customers. Of these 25% of IT security respondents, 60% say their organizations believe usernames and passwords provide sufficient security and 47% say their organizations are not going to provide 2FA because it will affect convenience by adding an extra step during login. When businesses are choosing to protect customer accounts and data, the 2FA options that are used most often do not offer adequate protection for users.
- IT security respondents report that SMS codes (41%), backup codes (40%), or mobile authentication apps (37%) are the three main 2FA methods that they support or plan to support for customers. SMS codes and mobile authenticator apps are typically tied to only one device. Additionally, 23% of individuals find 2FA methods like SMS and mobile authentication apps to be very inconvenient. A majority of individuals rate security (56%), affordability (57%), and ease of use (35%) as very important.
- It is clear that new technologies are needed for enterprises and individuals to reach a safer future together. Across the board, passwords are cumbersome, mobile use introduces a new set of security challenges, and the security tools that organizations have put in place are not being widely adopted by employees or customers. In fact, 49% of individuals say that they would like to improve the security of their accounts and have already added extra layers of protection beyond a username and password. However, 56% of individuals will only adopt new technologies that are easy to use and significantly improve account security. Here’s what is preferred: biometrics, security keys, and password-free login.
- A majority of IT security respondents and individuals (55%) would prefer a method of protecting accounts that doesn’t involve passwords. Both IT security (65%) and individual users (53%) believe the use of biometrics would increase the security of their organization or accounts. And lastly, 56% of individuals and 52% of IT security professionals believe a hardware token would offer better security.
Full Survey Results and Methodology
Beyond the above listed highlights, the full 2020 State of Password and Authentication Security Behaviors Report delivers further statistics across several countries, based on the following themes.
- How IT security respondents and individuals approach personal security
- Security behaviors and practices in the workplace
- Authentication mechanisms
- The popularity of passwordless authentication
- Protecting customers’ accounts with two-factor authentication
- The increase in personal mobile devices is bringing risk to the workplace
- How IT security behaviors and beliefs vary by country
Data for this survey was collected by Ponemon Institute on behalf of Yubico. Ponemon Institute was responsible for data collected, data analysis and reporting. Ponemon Institute and Yubico collaborated on the survey questionnaire. All survey responses were captured October 24 to November 15, 2019.
To download the complete report and associated infographic, visit yubico.com/authentication-report-2020. To learn more about cybersecurity trends on the path to digital transformation, sign up for the upcoming Yubico webinar on March 18 at 10 a.m. PST.
Ponemon Institute is dedicated to independent research and education that advances responsible information and privacy management practices within business and government. Our mission is to conduct high quality, empirical studies on critical issues affecting the management and security of sensitive information about people and organizations.
We uphold strict data confidentiality, privacy and ethical research standards. We do not collect any personally identifiable information from individuals (or company identifiable information in our business research). Furthermore, we have strict quality standards to ensure that subjects are not asked extraneous, irrelevant or improper questions.
Yubico sets new global standards for simple and secure access to computers, mobile devices, servers, and internet accounts.
The company’s core invention, the YubiKey, delivers strong hardware protection, with a simple touch, across any number of IT systems and online services. The YubiHSM, Yubico’s ultra-portable hardware security module, protects sensitive data stored in servers.
Yubico is a leading contributor to the FIDO2, WebAuthn, and FIDO Universal 2nd Factor open authentication standards, and the company’s technology is deployed and loved by 9 of the top 10 internet brands and by millions of users in 160 countries.
Founded in 2007, Yubico is privately held, with offices in Sweden, UK, Germany, USA, Australia, and Singapore. For more information: www.yubico.com.