The State of Passwordless Security in 2022: Report Recap
Shelley Leveson, Director of Content Marketing, HYPR
4 Min. Read | February 11, 2022
The spate of recent high-profile, authentication-linked cyberattacks — Solar Winds, Colonial Pipeline, the list goes on — put a spotlight on the failure of current authentication security practices. Vast collections of leaked passwords and readily available automated hacking tools, together with the expanded attack surface of many organizations, has escalated the situation to a point of crisis. These risks affect businesses of all sizes. While small organizations used to experience less than half the number of breaches, it’s now above 85%.
To gain new insights into the state of conventional and passwordless authentication, key drivers and barriers to adoption, we commissioned our second annual report on the State of Passwordless Security. Based on independent research conducted by Cybersecurity Insiders, the responses make clear the pressure password-based authentication, including traditional multi-factor authentication, puts on security systems.
Credential Attacks on the Rise
Of the organizations interviewed for the State of Passwordless Security 2022 report, 89% experienced phishing attacks over the last year, while 34% reported credential stuffing and brute force attacks. Moreover, push fatigue attacks that use weaponized push notifications are a growing concern. The study found a 33% rise in push fatigue attacks since last year.
The shift to remote and hybrid work, in particular, has put a critical strain on authentication security, as securing the remote workforce is a challenge. Hackers, quick to notice the vulnerability of millions of employees logging into data-rich enterprise environments from insecure locations and devices, increased attacks on that point of entry. The spike in push attacks and ongoing pressure from man-in-the-middle and remote desk protocol (RDP) attacks indicate remote workers continue to be a prime target of attackers.
Traditional MFA Falling Short
One of the most worrying discoveries of the 2022 Passwordless Security study was that 64% of companies didn’t make any change to their security protocols after being attacked, and only 35% believe their current authentication solution is fully secure.
Multi-factor authentication (MFA) is being mandated by government bodies, cyber insurers, and technology vendors alike. Yet adoption hesitancy for traditional MFA — i.e., password plus another factor — persists. Reasons stated include:
- Poor user experience — Traditional MFA involves multiple, disparate steps to access work systems. Nearly half (49%) of respondents named poor user experience as an obstacle to implementation.
- Difficulty in integrating — 48% of respondents stated that lack of interoperability and integration with existing systems created challenges for traditional MFA
- Passwords interfere with productivity — 63% shared they were unable to access critical information for their work after failing to remember a password.
Passwordless Security: Why It’s Needed
The good news — people are finding solutions to their authentication challenges in newer passwordless security technologies. 82% of respondents believe that passwordless multi-factor authentication will increase their organization’s security.
When it comes to encouraging greater uptake of stronger authentication protocols, unlike traditional MFA, 67% believe that passwordless MFA improves user experience.
Not surprisingly, the findings also revealed that securing remote workers is the primary driver in the move to passwordless, with 86% of organizations reporting it as their number one passwordless use case.
Looking at authentication practices across industries, the finance and insurance sector is more likely to adopt passwordless multi-factor authentication. Of those organizations that started a passwordless project in 2021, 25% of SMBs and 34% of enterprises were in the finance and insurance sector.
When planning a migration to passwordless authentication, nearly all respondents (97%) believe it’s important to keep authentication independent from their identity provider (IDP) or identity and access management (IAM) in order to reduce complexity. A full 70% say it’s essential for a solution to be seamlessly interoperable with multiple identity providers.
Ongoing Confusion About Passwordless Security
Unfortunately, although stronger security was named as the top priority for passwordless adoption, the majority of organizations that employ passwordless login use insecure methods. Per the 2022 report, only 16% of organizations with passwordless technology use phishing-resistant methods; the remaining employ shared secrets (any shared secret can be compromised by a hacker) or are uncertain what method their solution uses.
This indicates more education is needed on the difference between a “passwordless experience” — i.e., using biometrics to unlock an underlying password, or relying on OTPs or SMS codes — and fully removing passwords from the authentication process.
Download the Passwordless Security Report
Passwords have long been one of the weakest links in global cybersecurity, and the move to remote and hybrid work has only exacerbated this issue. Moreover, if the report is any indication, too many companies are willing to risk data breaches and account takeover in lieu of switching to a system that introduces friction and complexity.
Fortunately, we see a growing optimism among IT and security practitioners regarding passwordless multi-factor authentication technologies, particularly for standards-based passwordless security. A combined 96% of respondents say it’s important to leverage a standards-based approach such as Fast Identity Online (FIDO).