Yubico’s second annual State of Password and Authentication Security Behaviors Report, conducted by the Ponemon Institute. Ponemon Institute surveyed 2,507 IT and IT security practitioners in Australia, France, Germany, Sweden, United Kingdom, and United States, as well as 563 individual users.
This year’s 2020 State of Password and Authentication Security Behaviors Report evaluates whether or not that has changed, and provides data to better understand security practices and preferences between IT security practitioners and the end users they serve.
The conclusion is that IT security practitioners and individuals are both engaging in risky password and authentication practices, yet expectation and reality are often misaligned when it comes to the implementation of usable and desirable security solutions. The tools and processes that organizations put in place are not widely adopted by employees or customers, making it abundantly clear that new technologies are needed for enterprises and individuals to reach a safer future together.
“IT professional or not, people do not want to be burdened with security — it has to be usable, simple, and work instantly,” said Stina Ehrensvard, CEO and Co-Founder, Yubico. “For years, achieving a balance between high security and ease of use was near impossible, but new authentication technologies are finally bridging the gap. With the availability of passwordless login and security keys, it’s time for businesses to step up their security options. Organizations can do far better than passwords; in fact, users are demanding it.”
Key findings from this research include:
- Individuals report better security practices in some instances compared to IT professionals. Out of the 35% of individuals who report that they have been victim of an account takeover, 76% changed how they managed their passwords or protected their accounts. Of the 20% of IT security respondents who have been a victim of an account takeover, 65% changed how they managed their passwords or protected their account. Both individuals and IT security respondents have reused passwords on an average of 10 of their personal accounts, but individual users (39%) are less likely to reuse passwords across workplace accounts than IT professionals (50%).
- Fifty-one percent of IT security respondents say their organizations have experienced a phishing attack, with another 12% of respondents stating that their organizations experienced credential theft, and 8% say it was a man-in-the-middle attack. Yet, only 53% of IT security respondents say their organizations have changed how passwords or protected corporate accounts were managed. Interestingly enough, individuals reuse passwords across an average of 16 workplace accounts and IT security respondents say they reuse passwords across an average of 12 workplace
- Additionally, mobile use is on the Fifty-five percent of IT security respondents report that the use of personal mobile devices is permitted at work and an average of 45% of employees in the organizations represented are using their mobile device for work. Alarmingly, 62% of IT security respondents say their organizations don’t take necessary steps to protect information on mobile phones. Fifty-one percent of individuals use their personal mobile device to access work related items, and of these, 56% don’t use 2FA.
- Given the complexities of securing a modern, mobile workforce, organizations struggle to find simple, yet effective ways of protecting employee access to corporate accounts. Roughly half of all respondents (49% of IT security and 51% of Individuals) share passwords with colleagues to access business accounts. Fifty-nine percent of IT security respondents report that their organization relies on human memory to manage passwords, while 42% say sticky notes are used. Only 31% of IT security respondents say that their organization uses a password manager, which are effective tools to securely create, manage, and store
- IT security respondents say they are most concerned about protecting customer information and personally identifiable information (PII). However, 59% of IT security respondents say customer accounts have been subject to an account Despite this, 25% of IT security respondents say their organizations have no plans to adopt 2FA for customers. Of these 25% of IT security respondents, 60% say their organizations believe usernames and passwords provide sufficient security and 47% say their organizations are not going to provide 2FA because it will affect convenience by adding an extra step during login. When businesses are choosing to protect customer accounts and data, the 2FA options that are used most often do not offer adequate protection for users.
- IT security respondents report that SMS codes (41%), backup codes (40%), or mobile authentication apps (37%) are the three main 2FA methods that they support or plan to
support for customers. SMS codes and mobile authenticator apps are typically tied to only one device. Additionally, only 23 percent of Individuals find 2FA methods like SMS and mobile authentication apps to be very inconvenient. A majority of Individuals rate security (56 percent), and affordability (57 percent), and ease of use (35 percent) as very important.
- It is clear that new technologies are needed for enterprises and individuals to reach a safer future together. Across the board, passwords are cumbersome, mobile use introduces a new set of security challenges, and the security tools that organizations have put in place are not being widely adopted by employees or customers. In fact, 49% of individuals say that they would like to improve the security of their accounts and have already added extra layers of protection beyond a username and password. However, 56% of individuals will only adopt new technologies that are easy to use and significantly improve account security. Here’s what is preferred: biometrics, security keys, and password-free login.
- A majority of IT security respondents and individuals (55%) would prefer a method of protecting accounts that doesn’t involve passwords. Both IT security (65%) and individual users (53%) believe the use of biometrics would increase the security of their organization or accounts. And lastly, 56% of individuals and 52% of IT security professionals believe a hardware token would offer better security.
Full Survey Results and Methodology
Beyond the above listed highlights, the full 2020 State of Password and Authentication Security Behaviors Report delivers further statistics across several countries, based on the following themes.
- How IT security respondents and Individuals approach personal security
- Security behaviors and practices in the workplace
- Authentication mechanisms
- The popularity of passwordless authentication
- Protecting customers’ accounts with two-factor authentication
- The increase in personal mobile devices is bringing risk to the workplace
- How IT security behaviors and beliefs vary by country
Data for this survey was collected by Ponemon Institute on behalf of Yubico. Ponemon Institute was responsible for data collected, data analysis and reporting. Ponemon Institute and Yubico collaborated on the survey questionnaire. All survey responses were captured October 24 to November 15, 2019.