Yubico’s 2019 State of Password and Authentication Security Behaviors Report

PALO ALTO, CA and STOCKHOLM, SWEDEN – January 28, 2019 –  Yubico, the leading provider of hardware authentication security keys, today announced the results of the company’s 2019 State of Password and Authentication Security Behaviors Report, conducted by the Ponemon Institute. Ponemon Institute surveyed 1,761 IT and IT security practitioners in the United States, United Kingdom, Germany and France.

The purpose of this study is to understand the beliefs and behaviors surrounding password management and authentication practices for individuals both in the workplace and at home. The goal was to understand if these beliefs and behaviors align, and why or why not.  The conclusion is that despite the increasing concern regarding privacy and protection online and a greater understanding of the best security practices, individuals and businesses are still falling short. Both parties are in dire need of solutions that will offer both added security and convenience.

“For decades, passwords have been the primary method of authentication used to protect data and accounts from unauthorized access. However, this multi-country research illustrates the difficulties associated with proper password hygiene,” said Stina Ehrensvard, CEO and Founder, Yubico. “With every new password breach that we see, it’s become increasingly clear that new security approaches are needed to help individuals manage and protect their accounts both personally and professionally.”

Key findings from this research include:

  • Sixty-three percent of respondents say they have become more concerned about the privacy and security of their personal data over the past two years. Respondents reported being most concerned with Social Security number or citizen ID, payment account details and health information. The reason respondents reported being more concerned about their privacy was due to government surveillance (59 percent), and the growing use of mobile devices (51 percent) and connected devices (40 percent).
  • Almost half of respondents (47 percent) say their companies are most concerned about protecting customer information and 45 percent of respondents say they are most concerned about protecting employee information.
  • As cyberattacks become more prevalent, vulnerabilities created by poor password and authentication practices lead to attacks such as phishing. More than half of respondents (51 percent) say they have experienced a phishing attack in their personal life, while 44 percent of respondents have experienced a phishing attack at work. However, while phishing attacks are occurring on a frequent basis, 57 percent of respondents who have experienced a phishing attack have not changed their password behaviors.
  • Approximately two out of three respondents (69 percent) admit to sharing passwords with their colleagues in the workplace to access accounts and more than half of respondents (51 percent) reuse an average of five passwords across their business and/or personal accounts. Furthermore, added protection beyond a username and password, in the form of two-factor authentication, is not widely used. Sixty-seven percent of respondents do not use any form of two-factor authentication in their personal life and 55 percent of respondents do not use it at work.
  • It is increasingly clear that new security approaches are needed to help individuals manage and protect their passwords both personally and professionally. On average, respondents report having to spend an average of 12.6 minutes each week or 10.9 hours per year entering and/or resetting passwords. Based on the average headcount in this research of almost 15,000, we estimate the annual cost of productivity and labor loss per company averages $5.2 million annually.
  • Because managing passwords is inconvenient and cumbersome, 57 percent of respondents expressed a preference for passwordless logins that protect their identity. Fifty-six percent of respondents believe that a physical hardware token offers better security.

Full Survey Results and Methodology
Beyond the above listed highlights, the full 2019 State of Password and Authentication Security Behaviors Report delivers further statistics based on the following themes.

  • How privacy and security concerns affect personal password practices
  • Risky password practices in the workplace
  • Authentication and account security in organizations
  • Differences in password practices and authentication security behaviors by age
  • Differences in password practices and authentication security behaviors by country

Data for this survey was collected by Ponemon Institute on behalf of Yubico. Ponemon Institute was responsible for data collected, data analysis and reporting.  Ponemon Institute and Yubico collaborated on the survey questionnaire. All survey responses were captured August 20 to September 4, 2018.

To download the complete report and associated infographic, visit yubico.com/authentication-report.  For more information on Yubico, visit www.yubico.com.


About Ponemon Institute
Ponemon Institute is dedicated to independent research and education that advances responsible information and privacy management practices within business and government. Our mission is to conduct high quality, empirical studies on critical issues affecting the management and security of sensitive information about people and organizations.

We uphold strict data confidentiality, privacy and ethical research standards. We do not collect any personally identifiable information from individuals (or company identifiable information in our business research). Furthermore, we have strict quality standards to ensure that subjects are not asked extraneous, irrelevant or improper questions.

About Yubico

Yubico sets new global standards for simple and secure access to computers, mobile devices, servers, and internet accounts.

The company’s core invention, the YubiKey, delivers strong hardware protection, with a simple touch, across any number of IT systems and online services. The YubiHSM, Yubico’s ultra-portable hardware security module, protects sensitive data stored in servers.

Yubico is a leading contributor to the FIDO2WebAuthn, and FIDO Universal 2nd Factor open authentication standards, and the company’s technology is deployed and loved by 9 of the top 10 internet brands and by millions of users in 160 countries.

Founded in 2007, Yubico is privately held, with offices in Sweden, UK, Germany, USA, Australia, and Singapore. For more information: www.yubico.com

Press RoomPress Room

Ronnie Manning

Chief Marketing Officer
Yubico
ronnie@yubico.com

Contact RonnieContact Ronnie

Share this article:


  • Introducing new features for Yubico Authenticator for iOSWe’re excited to share the new features now available for Yubico Authenticator for iOS in the latest app update on the App Store. Many of these improvements aim to address frequently requested features from our customers, while providing additional new functionalities for a seamless authentication experience on iOS.  With increased interest in going passwordless and […]Read moreiOSYubico Authenticator
  • Platform independent digital identity for all Many are understandably concerned that the great invention called the Internet, initially created by researchers for sharing information, has become a major threat to democracy, security and trust. The majority of these challenges are caused by stolen, misused or fake identities. To mitigate these risks, some claim that we have to choose between security, usability […]Read moreDigital IdentityEUDIFounderStina Ehrensvard
  • Q&A with Yubico’s CEO: Our move to the main Nasdaq market in StockholmAs 2024 draws to a close, it’s the perfect time to reflect on the incredible journey we’ve had this year and how it has shaped where we stand today as a company. To mark this moment, I sat down with our CEO, Mattias Danielsson, to look back on the milestones and achievements of 2024—culminating in […]Read moreCEOMattias Danielsson
  • Exploring DORA: A look at the next major EU mandateFinancial institutions have historically managed operational risk using capital allocation, but under EU Regulation 2022/2554 – also known as the Digital Operational Resilience Act (DORA) – the financial sector and associated entities in the European Economic Area (EEA) must also soon follow new rules. These new rules focus on the protection, detection, containment, and the […]Read moreDORAEU