Legacy, password-based authentication systems are failing enterprise security, says study

Authentication-related attacks grew in 2022, taking advantage of outdated, password-based authentication systems, according to a study commissioned by HYPR, a passwordless multifactor authentication (MFA) provider based in the US.

The study, conducted by independent technology market research firm Vanson Bourne, surveyed 1000 IT professionals from organizations around the world with more than 50 employees. These included respondents from the US (300), UK (250), France (100), Germany (100), China (100), Australia (75) and Japan (75).

Rush of MFA bombing pushed authentication related breaches

Three out of five respondents said their organizations had been targeted by authentication-related attacks in 2022. Also, out of 88% respondents targeted by one or more cyberattacks in the last 12 months, 43% reported phishing or smishing to be the main form of attacks.

Push notification attacks (MFA bombing) accounted for 28% of overall attacks. These attacks, where a user is bombarded with multiple push alerts for device access, had contributed to only 12% and 9% respectively in 2021 and 2020.

“Organizations have been using two-factor authentication—a password based primary factor and an OTP or push notification-based second factor to secure access,” said Steve Brasen, research director at consulting firm Enterprise Management Associates, which has no connection with the study.

“The second factor authentication is a bit more difficult to defeat. To get around this, bad actors repeatedly send second factor authentication requests to the user’s phone, annoying them until they accept the request and enable access to the hacker,” he said.

The basic approach to two-factor authentication has barely slowed down attacks owing to continued reliance on passwords and fallible users getting too easily duped into providing credentials to bad actors, Brasen added.

Most organizations still use multiple legacy authentication methods such as username and password (57%), TFA/MFA (54%), password manager (49%) and single sign-on (43%). Only 28% of respondents said they used some form of password-less authentication.

A fifth of respondents said they had experienced two or more authentication-related breaches in the last year. The average cost of an authentication-related breach was reported to be $2.95 Million.

Legacy authentication failing on multiple grounds

Most respondents (87%) believed their organization’s approach to authentication to be complete and mostly secure. This, experts point out, is rooted in their ignorance for adopting industry standards.

“Most organizations addressed the authentication security issue by layering an OTP or push notification solution on top of their existing password-based authentication tools because that was the cheapest and easiest way to resolve the issue,” Brasen said. “They then checked the box indicating they have met their compliance and service agreement requirements and refocused their budgets and efforts toward addressing other IT security issues.”

The legacy authentication methods also present several pain points in terms of management and control. Issues highlighted by survey respondents included difficulty with securely authenticating remote workers (36%), unmanaged third-party devices (35%), technology complexity for deployment (34%), employee resistance to adoption (31%), and password/credential reset (29%).

Additionally, 81% of respondents admitted having trouble accessing work-critical information on occasions they forgot a password. The report indicated an average spend of $375 per employee per year on password issues.

“Rather than reducing the security impacts to user performance, traditional two-factor approaches actually increase user friction, requiring them to perform additional tasks in order to access the resources they need to complete job tasks,” Brasen added.

The study observed a market readiness for passwordless authentication as nearly all (98%) respondents agreed that their organizations will benefit from implementing passwordless methods.

Top incentives for shifting to passwordless methods included improving user experience and productivity (45%), strengthening cybersecurity (43%), pushing employee adoption of MFA (42%), and dropping insecure legacy systems (36%)

“The increased awareness of the value of passwordless authentication approaches is being driven by publicly disclosed recommendations and directives,” Brasen added. “The availability of new passwordless technologies (such as passkeys) and the increased adoption of FIDO standards are also accelerating passwordless deployments.”

The stigma associated with implementation expenses for passwordless systems is lifting, as benefits of enhanced security, improved user experience and business performance outweigh earlier challenges, according to Brasen.

The survey highlighted a few misconceptions about what constitutes passwordless authentication. Among respondents reporting that their organizations used passwordless systems, 58% used OTPs via a mobile authenticator app, 54% used OTP hardware tokens such as RSA tokens (54%), 53% used push notifications, and 50% stored passwords that are unlocked with biometrics and relayed on the back end. A true passwordless system, with no use of passwords, was found to be used by only 3% of respondents, meaning a vast majority of organizations with an assumed passwordless solution are still open to phishing, push fatigue and other MFA attacks.

This study emphasizes on the need to educate on passwordless methods as 65% respondents couldn’t tell a traditional MFA from a phishing-resistant one, and 82% still believed traditional MFAs provide complete or high security.