Yubico, the leading provider of hardware authentication security keys, today announced results of the company’s second annual State of Password and Authentication Security Behaviors Report, conducted by the Ponemon Institute.
Ponemon Institute surveyed 2,507 IT and IT security practitioners in Australia, France, Germany, Sweden, the United Kingdom, and the United States, as well as 563 individual users.
One of the key findings from Australia is that organisations are most concerned about the privacy and security of personal data.
The report found that IT security practitioners and individuals are both engaging in risky password and authentication practices, yet expectation and reality are often misaligned when it comes to the implementation of usable and desirable security solutions. The tools and processes that organizations put in place are not widely adopted by employees or customers, making it abundantly clear that new technologies are needed for enterprises and individuals to reach a safer future together.
“IT professional or not, people do not want to be burdened with security — it has to be usable, simple, and work instantly,” said Stina Ehrensvard, CEO and Co-Founder, Yubico. “For years, achieving a balance between high security and ease of use was near impossible, but new authentication technologies are finally bridging the gap. With the availability of passwordless login and security keys, it’s time for businesses to step up their security options. Organizations can do far better than passwords; in fact, users are demanding it.”
Key Australian findings from this research include:
- All individuals surveyed (globally) are especially concerned when it comes to government surveillance (65%) and protecting details of their health status (53%).
- Almost half of Australian organisations surveyed have experienced a phishing attack (47%) or ransomware attack (13%), with 52% saying their organisation changed their password practices following an attack.
- 64% of Australian organisations have a password policy for their employees however only 36% said this policy was strictly enforced.
Global findings included:
Individuals report better security practices in some instances compared to IT professionals. Out of the 35% of individuals who report that they have been a victim of an account takeover, 76% changed how they managed their passwords or protected their accounts. Of the 20% of IT security respondents who have been a victim of an account takeover, 65% changed how they managed their passwords or protected their accounts. Both individuals and IT security respondents have reused passwords on an average of 10 of their personal accounts, but individual users (39%) are less likely to reuse passwords across workplace accounts than IT professionals (50%).
Fifty-one percent of IT security respondents say their organisations have experienced a phishing attack, with another 12% of respondents stating that their organisations experienced credential theft, and 8% say it was a man-in-the-middle attack. Yet, only 53% of IT security respondents say their organisations have changed how passwords or protected corporate accounts were managed. Interestingly enough, individuals reuse passwords across an average of 16 workplace accounts and IT security respondents say they reuse passwords across an average of 12 workplace accounts.
Additionally, mobile use is on the rise. Fifty-five percent of IT security respondents report that the use of personal mobile devices is permitted at work and an average of 45% of employees in the organisations represented are using their mobile device for work. Alarmingly, 62% of IT security respondents say their organisations don’t take the necessary steps to protect information on mobile phones. Fifty-one percent of individuals use their personal mobile device to access work-related items, and of these, 56% don’t use 2FA.
Given the complexities of securing a modern, mobile workforce, organisations struggle to find simple, yet effective ways of protecting employee access to corporate accounts. Roughly half of all respondents (49% of IT security and 51% of Individuals) share passwords with colleagues to access business accounts. Fifty-nine percent of IT security respondents report that their organisation relies on human memory to manage passwords, while 42% say sticky notes are used. Only 31% of IT security respondents say that their organisation uses a password manager, which are effective tools to securely create, manage, and store passwords.
IT security respondents say they are most concerned about protecting customer information and personally identifiable information (PII). However, 59% of IT security respondents say customer accounts have been subject to an account takeover. Despite this, 25% of IT security respondents say their organisations have no plans to adopt 2FA for customers. Of this 25 % of IT security respondents, 60% say their organisations believe usernames and passwords provide sufficient security and 47% say their organisations are not going to provide 2FA because it will affect convenience by adding an extra step during login. When businesses are choosing to protect customer accounts and data, the 2FA options that are used most often do not offer adequate protection for users.
IT security respondents report that SMS codes (41%), backup codes (40%), or mobile authentication apps (37%) are the three main 2FA methods that they support or plan to support for customers. SMS codes and mobile authenticator apps are typically tied to only one device. Additionally, only 23 percent of Individuals find 2FA methods like SMS and mobile authentication apps to be very inconvenient. A majority of Individuals rate security (56 percent), and affordability (57 percent), and ease of use (35 percent) as very important.
It is clear that new technologies are needed for enterprises and individuals to reach a safer future together. Across the board, passwords are cumbersome, mobile use introduces a new set of security challenges, and the security tools that organisations have put in place are not being widely adopted by employees or customers. In fact, 49% of individuals say that they would like to improve the security of their accounts and have already added extra layers of protection beyond a username and password. However, 56% of individuals will only adopt new technologies that are easy to use and significantly improve account security. Here’s what is preferred: biometrics, security keys, and password-free login.
A majority of IT security respondents and individuals (55%) would prefer a method of protecting accounts that doesn’t involve passwords. Both IT security (65%) and individual users (53%) believe the use of biometrics would increase the security of their organisation or accounts. And lastly, 56% of individuals and 52% of IT security professionals believe a hardware token would offer better security.
Data for this survey was collected by the Ponemon Institute on behalf of Yubico. Ponemon Institute was responsible for data collection, data analysis and reporting. Ponemon Institute and Yubico collaborated on the survey questionnaire. All survey responses were captured from October 24 to November 15, 2019.
To download the complete report and associated infographic, visit yubico.com/authentication-report-2020.