Ponemon Institute study uncovers demand for passwordless protection of user accounts, as organisations in the UK continue to grapple with usability and security best practice
Yubico, the leading provider of hardware authentication security keys, today announced results of the company’s second annual State of Password and Authentication Security Behaviours Report, conducted by the Ponemon Institute. Ponemon Institute surveyed 2,507 IT and IT security practitioners in Australia, France, Germany, Sweden, United Kingdom, and United States, as well as 563 individual users.
The conclusion from this year’s report is that UK IT security practitioners and individuals are both engaging in risky password and authentication practices. What’s more, the tools and processes that organisations put in place are not widely adopted by employees or customers, making it abundantly clear that new technologies are needed for enterprises and individuals to reach a safer future together.
“IT professional or not, people do not want to be burdened with security — it has to be usable, simple, and work instantly,” said Stina Ehrensvard, CEO and Co-Founder, Yubico. “For years, achieving a balance between high security and ease of use was near impossible, but new authentication technologies are finally bridging the gap. With the availability of passwordless login and security keys, it’s time for businesses to step up their security options. Organisations can do far better than passwords; in fact, users are demanding it.”
Key UK findings from this research include:
- Individuals report better security practices in some instances compared to IT professionals. Out of the 35% of individuals who report that they have been victim of an account takeover, a whopping 76% changed how they managed their passwords or protected their accounts. Of the 22% of UK IT security respondents who have been a victim of an account takeover, 63% changed how they managed their passwords or protected their accounts. Both individuals and IT security respondents have reused passwords on an average of 10 of their personal accounts, but individual users (39%) are less likely to reuse passwords across workplace accounts than IT professionals (45%).
- 54 percent of IT security respondents say their organisations have experienced a phishing attack, with another 9% of respondents stating that their organisations experienced credential theft, and 7% say it was a man-in-the-middle attack. Yet, only 56% of IT security respondents say their organisations have changed how passwords or protected corporate accounts were managed
- Alarmingly, 45% of IT security respondents say their organisations don’t take necessary steps to protect information on mobile phones. Fifty-one percent of individuals use their personal mobile device to access work related items, and of these, 56% don’t use 2FA.
- 67 percent of IT security respondents reported that their organisation relies on human memory to manage passwords, while 43% say sticky notes are used. Only 34% of IT security respondents say that their organisation uses a password manager, which are effective tools to securely create, manage, and store passwords
- Meanwhile, IT security respondents say they are most concerned about protecting customer information and personally identifiable information (PII). However, 62% of IT security respondents say customer accounts have been subject to an account takeover. Despite this, 23% of IT security respondents say their organisations have no plans to adopt 2FA for customers
Most IT security respondents and individuals would prefer a method of protecting accounts that doesn’t involve passwords. Both IT security (60%) and individual users (53%) believe the use of biometrics would increase the security of their organisation or accounts. And lastly, 56% of individuals and 47% of IT security professionals believe a hardware token would offer better security.
Full Survey Results and Methodology
Data for this survey was collected by Ponemon Institute on behalf of Yubico. Ponemon Institute was responsible for data collected, data analysis and reporting. Ponemon Institute and Yubico collaborated on the survey questionnaire. All survey responses were captured October 24 to November 15, 2019.
To download the complete report and associated infographic, visit yubico.com/authentication-report-2020
About Ponemon Institute
Ponemon Institute is dedicated to independent research and education that advances responsible information and privacy management practices within business and government. Our mission is to conduct high quality, empirical studies on critical issues affecting the management and security of sensitive information about people and organizations.
We uphold strict data confidentiality, privacy and ethical research standards. We do not collect any personally identifiable information from individuals (or company identifiable information in our business research). Furthermore, we have strict quality standards to ensure that subjects are not asked extraneous, irrelevant or improper questions.
Yubico sets new global standards for simple and secure access to computers, mobile devices, servers, and internet accounts.
The company’s core invention, the YubiKey, delivers strong hardware protection, with a simple touch, across any number of IT systems and online services. The YubiHSM, Yubico’s ultra-portable hardware security module, protects sensitive data stored in servers.
Yubico is a leading contributor to the FIDO2, WebAuthn, and FIDO Universal 2nd Factor open authentication standards, and the company’s technology is deployed and loved by 9 of the top 10 internet brands and by millions of users in 160 countries.
Founded in 2007, Yubico is privately held, with offices in Sweden, UK, Germany, USA, Australia, and Singapore. For more information: www.yubico.com.
UK Media Contacts
Ella Pryor/Charlotte Martin
020 3217 7060