Identity security is at a crossroads. As digital transformation accelerates, organizations are increasingly vulnerable to identity-focused attacks, which are now the primary entry point for cybercriminals. The incorporation of artificial intelligence (AI) into the attacker’s arsenal ups the stakes even higher. Cybercriminals recently stole $25 million from a multinational finance firm in a single stroke by impersonating executives using deepfake video and audio.
With security teams grappling with unprecedented demands, we’ve expanded our seminal State of Passwordless annual report to encompass the broader identity security field. Now titled State of Passwordless Identity Assurance, this fourth edition investigates current and emerging identity threats to organizations, their security perspectives and practices, and greatest areas of vulnerability. Conducted by HYPR and Vanson Bourne, the report is based on interviews with 750 IT/IS decision makers, representing a cross-section of industries across the globe. The results expose the gap between evolving threats and outdated identity models, and the extent that this undermines global security and business growth.
Our research reveals an unsettling rise in identity theft and fraud, driven by the availability of compromised credentials and sophisticated phishing schemes. Nearly all (99%) surveyed organizations faced some kind of attack over the past 12 months and almost eight in ten (78%) were targeted by identity-based attacks.
Not surprisingly, phishing and malware are the most prevalent. Push notification attacks, also called MFA-prompt bombing, continue to be a favorite technique of modern hacking groups. Toward the bottom of the list just two years ago, push attacks figure prominently in many recent high-profile attacks including the widespread campaign against Apple users last month.
The consequences of identity security breaches are significant. A staggering 84% of organizations that experienced a cyberattack subsequently suffered a breach, with 62% experiencing multiple breaches. For those organizations that were breached, 91% blame authentication weaknesses and the misuse of credentials for one or more breaches, a notable increase from 82% the previous year.
These breaches not only carry significant financial burdens — with costs averaging $5.48 million — but also lead to customer loss, reputational damage, and substantial fines.
Many organizations remain tethered to outdated security practices that no longer suffice in the current digital era. The findings underscore the urgency to shift from traditional perimeter-based defenses to an identity-first security strategy. Today, the average organization struggles with the complexities of managing an expanding number of digital identities, brought on by remote work trends and the adoption of new technologies.
This transition stresses the need for robust identity security practices that not only prevent unauthorized access but also ensure a seamless user experience. Despite advancements, 99% of organizations still rely on outdated legacy authentication methods, highlighting a significant gap in adopting more secure and efficient solutions like passwordless authentication and continuous, automated identity verification.
On a positive note, four in ten (41%) or organizations plan to use passwordless authentication or passkeys over the next 1-3 years. In addition, 43% intend to incorporate identity verification into their identity security processes.
Artificial Intelligence (AI) presents both opportunities and threats for identity security. On the one hand, AI can enhance identity security protocols through adaptive and risk-based controls. On the other hand, cybercriminals are using AI to exploit vulnerabilities more effectively, creating tailored phishing messages and convincing deepfakes.
IT security decision-makers recognize the dual nature of AI, with the ability to prevent threats from generative AI (60%) and deepfake identity fraud (45%) among their top concerns. Despite these challenges, three-quarters (75%) believe that adopting AI within their identity security stack will ultimately give them an advantage over cybercriminals.
As businesses continue to transform their operations and business models, they face unprecedented and dynamic security risks. The research underscores the urgent need for organizations to adopt a holistic, identity-first security strategy that leverages advanced technologies and continuous verification processes.
HYPR’s Identity Assurance platform empowers organizations with a comprehensive identity security solution so they can protect their digital identities, safeguard sensitive data, and ensure long-term business resilience in an increasingly digital world.
Get the full report on the State of Passwordless Identity Assurance in 2024.