Sixty percent of respondents hit by an authentication-related cyberattack in the last 12 months agreed that they could have avoided it with a passwordless system. shw Credit: Cisco Authentication-related attacks grew in 2022, taking advantage of outdated, password-based authentication systems, according to a study commissioned by HYPR, a passwordless multifactor authentication (MFA) provider based in the US.The study, conducted by independent technology market research firm Vanson Bourne, surveyed 1000 IT professionals from organizations around the world with more than 50 employees. These included respondents from the US (300), UK (250), France (100), Germany (100), China (100), Australia (75) and Japan (75).Rush of MFA bombing pushed authentication related breachesThree out of five respondents said their organizations had been targeted by authentication-related attacks in 2022. Also, out of 88% respondents targeted by one or more cyberattacks in the last 12 months, 43% reported phishing or smishing to be the main form of attacks. Push notification attacks (MFA bombing) accounted for 28% of overall attacks. These attacks, where a user is bombarded with multiple push alerts for device access, had contributed to only 12% and 9% respectively in 2021 and 2020. “Organizations have been using two-factor authentication—a password based primary factor and an OTP or push notification-based second factor to secure access,” said Steve Brasen, research director at consulting firm Enterprise Management Associates, which has no connection with the study.“The second factor authentication is a bit more difficult to defeat. To get around this, bad actors repeatedly send second factor authentication requests to the user’s phone, annoying them until they accept the request and enable access to the hacker,” he said. The basic approach to two-factor authentication has barely slowed down attacks owing to continued reliance on passwords and fallible users getting too easily duped into providing credentials to bad actors, Brasen added.Most organizations still use multiple legacy authentication methods such as username and password (57%), TFA/MFA (54%), password manager (49%) and single sign-on (43%). Only 28% of respondents said they used some form of password-less authentication.A fifth of respondents said they had experienced two or more authentication-related breaches in the last year. The average cost of an authentication-related breach was reported to be $2.95 Million.Legacy authentication failing on multiple groundsMost respondents (87%) believed their organization’s approach to authentication to be complete and mostly secure. This, experts point out, is rooted in their ignorance for adopting industry standards.“Most organizations addressed the authentication security issue by layering an OTP or push notification solution on top of their existing password-based authentication tools because that was the cheapest and easiest way to resolve the issue,” Brasen said. “They then checked the box indicating they have met their compliance and service agreement requirements and refocused their budgets and efforts toward addressing other IT security issues.”The legacy authentication methods also present several pain points in terms of management and control. Issues highlighted by survey respondents included difficulty with securely authenticating remote workers (36%), unmanaged third-party devices (35%), technology complexity for deployment (34%), employee resistance to adoption (31%), and password/credential reset (29%). Additionally, 81% of respondents admitted having trouble accessing work-critical information on occasions they forgot a password. The report indicated an average spend of $375 per employee per year on password issues.“Rather than reducing the security impacts to user performance, traditional two-factor approaches actually increase user friction, requiring them to perform additional tasks in order to access the resources they need to complete job tasks,” Brasen added.The study observed a market readiness for passwordless authentication as nearly all (98%) respondents agreed that their organizations will benefit from implementing passwordless methods.Top incentives for shifting to passwordless methods included improving user experience and productivity (45%), strengthening cybersecurity (43%), pushing employee adoption of MFA (42%), and dropping insecure legacy systems (36%) “The increased awareness of the value of passwordless authentication approaches is being driven by publicly disclosed recommendations and directives,” Brasen added. “The availability of new passwordless technologies (such as passkeys) and the increased adoption of FIDO standards are also accelerating passwordless deployments.”The stigma associated with implementation expenses for passwordless systems is lifting, as benefits of enhanced security, improved user experience and business performance outweigh earlier challenges, according to Brasen.The survey highlighted a few misconceptions about what constitutes passwordless authentication. Among respondents reporting that their organizations used passwordless systems, 58% used OTPs via a mobile authenticator app, 54% used OTP hardware tokens such as RSA tokens (54%), 53% used push notifications, and 50% stored passwords that are unlocked with biometrics and relayed on the back end. A true passwordless system, with no use of passwords, was found to be used by only 3% of respondents, meaning a vast majority of organizations with an assumed passwordless solution are still open to phishing, push fatigue and other MFA attacks.This study emphasizes on the need to educate on passwordless methods as 65% respondents couldn’t tell a traditional MFA from a phishing-resistant one, and 82% still believed traditional MFAs provide complete or high security. Related content feature What is IAM? Identity and access management explained IAM is a set of processes, policies, and tools for controlling user access to critical information within an organization. By David Strom May 07, 2024 12 mins Identity Management Solutions IT Leadership Security news Most interesting products to see at RSAC 2024 Tools, platforms, and services that the CSO team recommends 2024 RSA Conference attendees check out. By CSO Staff May 07, 2024 12 mins RSA Conference Security news Google launches Google Threat Intelligence at RSA Conference The new addition to Google Cloud Security is designed to give security teams information to inform approaches to protecting against external threats, managing attack surfaces, and mitigating digital risks. By Sascha Brodsky May 06, 2024 4 mins Google Cloud Functions Cloud Security Security Software brandpost Sponsored by Elastic Search + RAG: The 1-2 punch transforming the modern SOC with AI-driven security analytics AI is modernizing how SOCs function, triaging countless alerts down to a handful of attacks that matter most. By Mike Nichols, Product for Security at Elastic May 06, 2024 3 mins Artificial Intelligence PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe