Phishable Multifactor Methods

Survey Reveals Majority of Organizations Still Using Phishable Multifactor Methods for Customer Authentication

San Jose, CA – August 2, 2023 – Nok Nok, a leader in passwordless authentication for the world’s largest organizations and Enterprise Strategy Group (ESG), today released the findings of a comprehensive survey on the state of passwords. ESG surveyed over 350 IT, cybersecurity, and application development professionals responsible for identity and access management programs in North America. The results shed light on the challenges organizations continue to face using traditional authentication methods and the increasing interest in passwordless authentication as a more secure and user-friendly alternative. With the availability of low cost cloud CPUs to crack passwords and the prevalence of known accounts/passwords, organizations recognize that passwords are not secure. The survey revealed that traditional authentication methods, such as passwords, are not effective in the face of evolving cyber threats [this seems like a conclusion that has already been proven over the past decade. Moreover, legacy multifactor authentication (MFA) such as SMS, one time password (OTP) or email codes, has proven to be susceptible to social engineering and phishing attacks, while introducing user friction and degrading the user experience.

72% of organizations still use phishable MFA factors for their customer-facing applications. The cost and risk of lost or stolen data, business, and funds from compromised accounts is motivating organizations to make MFA mandatory for their customers. Unfortunately, they haven’t gone far enough and still rely on the weakest forms of phishable MFA: SMS and one-time email codes.

52% of organizations said eliminating customer passwords had a significant positive impact on revenue. In addition to the expected risk reduction that comes from deploying passwordless authentication for customer-facing apps, removing friction from passwords and MFA positively impacted revenue, customer productivity and satisfaction, and credential-based cybersecurity incidents.

76% of organizations experienced multiple account or credential compromises over the past 12 months. Organizations face a multitude of disparate attack vectors targeting weak authentication methods. Unfortunately, organizations are still not prepared to respond to account or credential compromise, and thus multiple incidents have become the norm.

The survey also highlighted the importance of passwordless authentication for customer-facing applications. Organizations understand the risks of account takeover attacks and the need to secure customer identities. However, a significant portion of customer identities are believed to continue to be insufficiently secured. To mitigate these risks, organizations are prioritizing customer authentication practices, with 36% of the respondents designating authentication as a critical activity.

“In the face of weak passwords and phishable legacy authentication solutions, the survey shows that customer passwordless authentication can deliver a host of security enhancements and increase the user experience,” said Jack Poller, Senior Analyst, ESG. “Benefits include reduced calls to help desk/IT for password resets and account lockouts, to increased customer productivity and satisfaction by eliminating the friction from passwords and MFA, as well as
eligibility to obtain cyber-insurance or reduce rates.”

The findings of the survey indicate that organizations are actively investing in strong authentication, with passwordless authentication gaining traction. Passwordless authentication not only enhances security but also improves the user experience by eliminating the need to remember complex passwords and reducing the reliance on phishable MFA factors.

“This survey reveals that organizations are still relying on the most common, weakest methods of MFA, SMS, and one-time email codes, even when FIDO-based phishing resistant strong authentication is available.,” said Phil Dunkelberger, CEO of Nok Nok. “Major platform vendor ssuch as Google, Apple and Microsoft have all embraced FIDO standards and are rolling out passkeys for consumers. It is time enterprises do the same for their customer authentication.”

For a copy of the results with more detailed information and insights from the survey, please review The State of Passwordless Authentication eBook.

About TechTarget

TechTarget is a leading technology media company that provides trusted and targeted content to enterprise technology buyers and decision-makers. With a network of over 140 technology-specific websites, TechTarget delivers quality content, research, and analysis to help organizations make informed technology purchasing decisions.

About Nok Nok

Nok Nok is a leader in passwordless customer authentication and delivers the most innovative FIDO (Fast IDentity Online) solutions for the passwordless authentication market today. Nok Nok empowers organizations to significantly improve their user experience and security, and reduce operating expenses, while enabling compliance with the most rigorous privacy and regulatory requirements. The Nok Nok™ S3 Authentication Suite integrates into existing security environments to deliver proven, FIDO-enabled passwordless customer authentication. As a founder of the FIDO Alliance and an innovator of FIDO standards, Nok Nok is an expert in next-level, multi-factor authentication. Nok Nok’s global customers and partners include AFLAC Japan, BBVA, Carahsoft, Fujitsu Limited, Hitachi, Intuit, Mastercard, MUFG Bank, NTT DATA, NTT DOCOMO, Standard Bank, T-Mobile, and Verizon. For more information, https://staging.noknok.com/.