The Path to Passwordless, Phishing-Resistant MFA: Emerging but Still a Long Road Ahead
Results from Axiad’s 2023 State of Authentication Survey
A lot has happened in the authentication industry over the past few years. As new technology, such as generative AI, has enabled cybercriminals to craft near-perfect phishing emails and execute other credential-based attacks quickly, easily, and cost-effectively, we’ve seen not only the volume of attacks increase, but also their success rates as well. It seems, every day, there’s a new attack in the news that started with compromised credentials.
Authentication vendors have long realized that passwords are no longer enough to keep cybercriminals at bay. To help organizations strengthen their security posture, they’ve launched innovative passwordless and passkey technology, including FIDO passkeys. Just recently, we’ve seen the adoption of passkeys pick up momentum with top consumer brands such as Google and Amazon. We expect to see this trend accelerate in the enterprise world as well.
Additionally, regulators, including the U.S. White House Office of Management and Budget (OMB), the Cybersecurity and Infrastructure Security Agency (CISA), and the National Institute of Standards and Technology (NIST), have weighed in to urge the importance of passwordless, phishing-resistant authentication. In fact, a joint cybersecurity advisory that was issued last month by CISA and the Multi-State Information Sharing & Analysis Center (MS-ISAC). The advisory re-emphasized the need for organizations to require phishing-resistant MFA.
However, despite progress from vendors and guidance from regulatory bodies, most organizations continue to use passwords as their primary method of authentication. To better understand why this is the case as well as where organizations stand in their authentication journey, Axiad conducted a “2023 State of Authentication Survey.”
Survey Findings Shed Light on the State of Authentication
We surveyed more than 200 information technology (IT) professionals, and here’s what we found out:
- 39% indicated phishing is the most feared cyberattack, while 49% said it is the attack most likely to happen.
- 88% felt they were prepared to defend against a password-based cyberattack, yet 52% have fallen victim to one.
- 93% of respondents are still using passwords for business, citing that the biggest reasons they still use them are:
- Fear of change (64%),
- The potential need to rip and replace technology (54%),
- Time constraints (51%), and
- Lack of staff (25%)
- When asked what technologies respondents will use over the next year:
- 45% said they will use passwordless technology, and
- 27% said they will use phishing-resistant multi-factor authentication (MFA)
- When asked which recent guidance has most impacted their organization’s authentication strategy,
- CISA came out on top (41%),
- Followed by NIST (26%), and
- The White House OMB (13%)
Heading in the Right Direction, But More Work to be Done
Even though many organizations are still using passwords for authentication, recent industry guidance is tipping some toward passwordless, phishing-resistant MFA. This is reflected in the fact that 80% of respondents said either CISA, NIST, or the White House OMB is impacting their authentication strategy. In addition, the data revealed that more companies plan to use both passwordless and phishing-resistant MFA next year, compared to 2023. These are all encouraging signs that signify a shift in the right direction when it comes to authentication and preventing hackers from compromising credentials.
While we are encouraged to see some organizations are starting down the right path, we still have a long way to go to make passwordless, phishing-resistant MFA the new gold standard for authentication – especially as fear of change and the potential need to rip and replace existing technologies remain barriers to enterprises adoption.
It is our hope, though, that more organizations will realize that passwords simply cannot stand up against today’s AI-powered phishing and credential-based attacks. This fact alone should motivate them to make an authentication change, but we as an industry need to continue supporting them with technology, guidance, and best practices. These resources are available today, and organizations need to make strengthening authentication a priority in 2024.
How Axiad Can Help
Axiad allows organizations to move to a passwordless future without the friction and risk of fragmented solutions. Axiad Cloud delivers organization-wide passwordless orchestration to connect users and machines to data and applications from anywhere, helping organizations optimize their cybersecurity posture while navigating underlying IT complexity.
This fully integrated passwordless approach helps organizations become more phishing resistant. It takes a critical step forward to implementing Zero Trust security by routinely verifying before authenticating. It also layers on top of existing IdPs avoiding the need to rip and replace technology while making the most of existing investments.