Despite authentication being a cornerstone of cybersecurity, risk mitigation strategies remain outdated, according to new research from Enzoic.
With the attack surface expanding and the increasing sophistication of cyber threats, organizations are struggling to deliver secure and user-friendly authentication. The research uncovered that despite the emergence of modern strategies, most companies still rely on traditional approaches.
Many are failing to adhere to best practices for password management, which is leaving them exposed as compromised credentials are behind more than 50% of breaches, according to the Verizon 2023 Data Breach Investigations Report.
“Authentication strategies are firmly in cybercriminals’ crosshairs,” said Michael Greene, CEO of Enzoic. “Despite this recognized vulnerability, enterprises continue to deploy archaic strategies that fail to eliminate authentication mechanisms as a threat vector. The much-hyped passwordless future is not on the horizon anytime soon for most organizations, so it’s vital to adopt modern and robust password policies that don’t add friction for users.”
Passwordless reality
Only 12% of companies rely on passwordless strategies, with 68% primarily utilizing usernames and passwords for authentication. 46% are looking to phase out passwords in the next three years. However, 19% have no plans, reflecting that despite problems, passwords remain an important authentication mechanism.
To best protect their digital assets, organizations that use the predominant authentication method, passwords, must prioritize updating practices to reflect more modern password policies. MFA can be a compensating control, but is intended to enhance, not replace, strong password measures. By closely monitoring the dark web and eliminating exposed credentials used in your environment, organizations can effectively guard against a common entry point for attackers.
Dark web dilemma
84% are concerned about weak and compromised passwords. However, many remain in the dark about the risks they face. 46% think that 1/5 of their passwords could be on the dark web, 26% are unsure if their organization’s passwords can be found on the dark web, and 56% have encountered issues with MFA, such as usability or compatibility.
Cyberattack spurs action
However, once a business suffers an authentication-related cyberattack, this is often the impetus to shore up defenses.
Following an attack:
- 38% conduct regular security audits and vulnerability assessments
- 28% implement MFA
- 30% strengthen password policies
- 26% educate users
- However, 10% make no changes after an attack occurs!
Password best practice knowledge gap
Despite password best practices guidance published by NIST in 2017, 54% of organizations only learned about the framework in the last 12 months, and a staggering 33% are still unaware. This is reflected by 74% of companies still relying on periodic password resets and outdated character rules.
The direct consequence of this knowledge gap is that password strategies remain outdated, increasing the likelihood of an attack.
“It’s imperative that companies see past the passwordless hype and take action today to strengthen credential security,” Greene elaborated.