The State of Passwordless Security 2023: Report Recap
Shelley Leveson, Director of Content Marketing, HYPR
5 Min. Read | April 9, 2023
Cyberattacks continue to increase at an alarming rate, and many security breaches can be traced back to an authentication issue. Whether a password or a password plus an additional authentication factor, attackers are adept at bypassing them at scale. For example, over 100 million multi-factor authentication (MFA) attacks were recorded in Q1 2022, whereas such attacks were virtually non-existent in 2019.
Just this month, law enforcement agencies in Europe and the U.S. announced the seizure of a major online marketplace that offered over 80 million stolen login credentials, giving cybercriminals access to accounts in the financial sector, critical infrastructure, and government agencies, among others. This hasn’t put them out of business, however, as the group’s admins announced the marketplace would soon be available through other channels.
The pressure on security teams is showing no signs of abating, and against that backdrop, we compiled our State of Passwordless Security report for a third consecutive year. For this report, we asked 1,000 IT/IS security decision-makers from around the world about the state of cybersecurity in their organization and where passwordless security currently fits into their defense strategy.
Authentication Is Still Highly Vulnerable
As has been the case in our previous two reports, authentication remains the greatest weakness in enterprise cybersecurity. Of the professionals we interviewed, 60% said their organizations had suffered breaches through authentication-based attacks across the last 12 months. These breaches can then be used as launchpads for further attacks, such as ransomware or data theft.
The ability of attackers to automate phishing processes, including buying easy-to-deploy kits on the dark web, make any authentication process featuring passwords and other shared secrets high-risk. This ease of access means that even low-skilled attackers can launch successful assaults on major corporations. However, despite these clear and obvious risks, most organizations don’t make any changes to their authentication processes after a successful attack. Even worse, a majority still deploy passwords in some form, with 57% using the most basic username and password combos for some systems.
Since credential theft is still the easiest and most successful method for attackers, major industry groups and the federal government have advised organizations to deploy phishing-resistant, passwordless methods.
Global Cyber Defenses: New Avenues of Attack
Virtually every organization has suffered some form of cyberattack over the last year. The main vectors for these attacks are common threats such as phishing and ransomware, but one, in particular, has shown noticeable growth. Nearly 30% of organizations were hit by push notification attacks, which have more than doubled their prevalence since the 2022 report (12%).
This increase relates to how organizations have tried to counter their greatest cybersecurity weakness (passwords) with multi-factor authentication. MFA requires a user to authenticate themselves using two or more factors based on knowledge (i.e., password or PIN), possession (i.e., device or hardware security key) or inherence (i.e., fingerprints or face scans).
With the general acknowledgement that passwords are easily phished or cracked, MFA in the form of a password plus an additional factor, has been widely considered a possible solution. However, as our report shows, this has not proven to be an effective security measure. For example, attackers can bypass push notification MFA by spamming users with push requests, aka MFA prompt bombing, hoping the user will accept.
Passwordless Security: A Multi-Problem Solution
The most tangible consequences of authentication-originated breaches are monetary, costing organizations an average of $2.95 million annually. This doesn’t factor in the longer-term financial impacts of losing business to rivals and reputational damage.
The problems with passwords, however, extend beyond their serious security implications. From a user-experience perspective, passwords are the root cause of significant frustration. Our report reveals that 81% of respondents experienced occasions where they could not access critical information because they’d forgotten a password. Along with the time spent logging in with passwords, password resets and account lockouts significantly impact employee productivity and, consequently, their bottom line.
The costs are also very real at the IT support desk. Our report uncovered some thought-provoking insights into how much upholding password-based authentication costs organizations yearly. Enterprises spend 32% of their IT helpdesk budget on password-related issues, such as resets. This equates to $465,645 annually, or $375 per employee per year, wasted on password issues.
While passwordless security has its own implementation costs, it is generally far cheaper than maintaining password-based systems.
The Short-Term Future of Passwordless Security
Despite the clear and obvious problems using passwords causes on an annual basis, many organizations have yet to adopt full passwordless security. Even though the security leaders interviewed were almost unanimous in their belief in passwordless security benefits, organizations still face significant obstacles.
These obstacles range from fears around integration with their current technology stack to lacking the internal knowledge to implement a new system, to general misunderstandings of what exactly constitutes phishing-resistant, passwordless MFA. Only 3% of organizations that state they use passwordless solutions are using phishing-resistant, passwordless methods. This means that 97% of the “passwordless” solutions deployed are susceptible to phishing and push attacks.
Our State of Passwordless Security Report 2023 gives an in-depth insight into exactly how much authentication weaknesses are costing organizations every year. We also look at the global state of passwordless security and how organizations respond to the biggest threats.
Download the full report on the State of Passwordless Security in 2023.