Poor authentication practices persist in global organisations

Yubico has published the results of the company’s second annual State of Password and Authentication Security Behaviours Report, conducted by the Ponemon Institute. Ponemon Institute surveyed 2,507 IT and IT security practitioners in Australia, France, Germany, Sweden, United Kingdom, and United States, as well as 563 individual users. 

The conclusion from this year’s report is that UK IT security practitioners and individuals are both engaging in risky password and authentication practices. What’s more, the tools and processes that organisations put in place are not widely adopted by employees or customers, making it abundantly clear that new technologies are needed for enterprises and individuals to reach a safer future together. 

“IT professional or not, people do not want to be burdened with security — it has to be usable, simple, and work instantly,” said Stina Ehrensvard, CEO and Co-Founder, Yubico. “For years, achieving a balance between high security and ease of use was near impossible, but new authentication technologies are finally bridging the gap. With the availability of passwordless login and security keys, it’s time for businesses to step up their security options. Organisations can do far better than passwords; in fact, users are demanding it.”

Key UK findings from this research include:

·         Individuals report better security practices in some instances compared to IT professionals. Out of the 35% of individuals who report that they have been victim of an account takeover, a whopping 76% changed how they managed their passwords or protected their accounts. Of the 22% of UK IT security respondents who have been a victim of an account takeover, 63% changed how they managed their passwords or protected their accounts. Both individuals and IT security respondents have reused passwords on an average of 10 of their personal accounts, but individual users (39%) are less likely to reuse passwords across workplace accounts than IT professionals (45%).

·         54 percent of IT security respondents say their organisations have experienced a phishing attack, with another 9% of respondents stating that their organisations experienced credential theft, and 7% say it was a man-in-the-middle attack. Yet, only 56% of IT security respondents say their organisations have changed how passwords or protected corporate accounts were managed

·         Alarmingly, 45% of IT security respondents say their organisations don’t take necessary steps to protect information on mobile phones. Fifty-one percent of individuals use their personal mobile device to access work related items, and of these, 56% don’t use 2FA. 

·         67 percent of IT security respondents reported that their organisation relies on human memory to manage passwords, while 43% say sticky notes are used. Only 34% of IT security respondents say that their organisation uses a password manager, which are effective tools to securely create, manage, and store passwords 

·         Meanwhile, IT security respondents say they are most concerned about protecting customer information and personally identifiable information (PII). However, 62% of IT security respondents say customer accounts have been subject to an account takeover. Despite this, 23% of IT security respondents say their organisations have no plans to adopt 2FA for customers

Most IT security respondents and individuals would prefer a method of protecting accounts that doesn’t involve passwords. Both IT security (60%) and individual users (53%) believe the use of biometrics would increase the security of their organisation or accounts. And lastly, 56% of individuals and 47% of IT security professionals believe a hardware token would offer better security.