Ever since employees began working from home to combat the COVID-19 pandemic, everyone knows the number of phishing attacks launched against organizations has skyrocketed. A survey of 425 IT professionals published by HYPR, a joint venture created by Comcast, Samsung, and Mastercard to eliminate the need for passwords, and Cybersecurity Insiders finds 90% of respondents experienced phishing attacks against their organization in 2020.
Nearly a third (29%) said they also experienced a credential stuffing attack where it was clear cybercriminals were attempting to employ a large number of stolen user identification names and passwords to compromise applications and systems.
Despite all these attacks, however, nearly half of the survey respondents (48%) said they still lack a passwordless solution. Among those that do have one, a full 91% of respondents said the primary reason they invested in multi-factor authentication (MFA) was to thwart phishing attacks, followed by providing a better user experience (61%).
Adoption of passwordless solutions
In terms of approaches to passwordless multifactor authentication being employed, 36% of respondents said they are using smartphones as FIDO tokens, 17% are using hardware security keys such as Yubico Yubikey or Google Titan, and 17% are leveraging built-in authentication tools such as Windows Hello.
Unfortunately, passwordless authentication is still not widely employed, and even when it is used, precisely what constitutes passwordless is open to interpretation. Among those organizations that have adopted MFA, the primary method for authenticating end users is via a message sent to their smartphone (73%). Many organizations, however, still rely on two-step multi-factor authentication to verify users, with 61% reporting their approach to a “passwordless” solution still requires a shared secret as an underlying password, a one-time password (OTP), or an SMS code.
On the plus side, 90% of respondents said they consider it essential or somewhat important to eliminate shared secrets for authentication. More than two-thirds (67%), however, said their organizations lack the right skills and teams to ensure broad adoption.
Overall, nearly three quarters (73%) said the most convenient way to employ passwordless multi-factor authentication would be via a smartphone. Nearly two-thirds of respondents (65%) also noted that interoperability across multiple providers of identity services is important.
Moving beyond passwords
Given the prevalence of phishing attacks, it should be apparent that the current reliance on passwords is antiquated. Phishing has always been an issue, but with more employees working from home, more of these attacks are compromising passwords that belong to corporate insiders. Consequently, insider threats in the form of malicious actors pretending to be someone else have become a major problem. Couple that problem with increased reliance on digital business processes, and the potential damage those malicious actors can inflict approaches the staggering.
The only way to ever eliminate these threats is to once and for all eliminate the password. So long as there are passwords, there will be phishing attacks. It’s not possible to change the behavior of cybercriminals. The only thing organizations have any control over is the methods relied on to authenticate end-users. If that method depends on some form of a password, it’s only a matter of time before that password is compromised. At some point, organizations will need to own up to the fact that right now they are more a part of the phishing problem than the solution.
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.