57% of Businesses Use Multi-Factor Auth (MFA), Says LastPass

[steven36]

Approximately 57% of businesses around the world are currently using multi-factor authentication (MFA), with a 12% gain over the stats from last year according to research from LastPass based on data from 47,000 orgs.

 

 

Multi-Factor Authentication (MFA) a method of authentication designed to add an extra layer of protection on top of the users' credentials. When MFA is enabled for an online service, the user will also be prompted to enter an authentication code from their MFA solution (hardware or software-based) after logging in using their usernames and password.

 

"Securing employee access has never been more important and unfortunately, we see businesses ignore password security altogether, or only half-heartedly attempt to address it," said LogMeIn Chief Information Security Officer, Gerald Beuchelt.

 

"This report further highlights the importance of using the identity and access management tools available to information security managers in addition to maintaining focus on employee training to improve password habits."

95% use software-based MFA authentication 

"The increase in businesses using multifactor authentication (MFA) is one of the biggest takeaways from this year’s report, with significant gains in usage compared to our findings in 2018," says the report.

 

Out of all the employees utilizing MFA, 95% use a software-based multi-factor authentication tool like a mobile app, while only 4% of the total have a hardware-based MFA solution and roughly 1% use biometrics.

 

"Given the scalability and lower cost of software-based choices, it’s unsurprising that they’re currently the most popular," adds the report.

 

A previous study from Spiceworks shows that 62 percent of organizations around the globe currently use biometric authentication tech, with an additional 24 percent of them planning to switch to it within the next two years.

 

"Fingerprint and face scanners are the most common types of biometric authentication used on corporate devices and services," said Spiceworks.

 

"The results show 57 percent of organizations are using fingerprint scanning technology, while 14 percent are using face recognition technology."

Data from 47,000 organizations of all sizes

This year's LastPass Global Password Security Report on the state of password usage by businesses all over the world is based on aggregated and anonymized data collected from roughly 47,000 organizations that use LastPass, including info related to MFA, SSO, and mobile password management.

 

"Though the data set represents LastPass users, given the breadth and depth of the data set, conclusions are broad enough to be applied to the business community at large," says LastPass.

 

The highlights of the report are as follows:

• Worldwide: More than half of businesses globally have employees using multi-factor authentication
• Progress: IT admins take advantage of policies and integrations to increase security and streamline management, but more IT admins could be mandating the use of multi-factor authentication
• Leading: The Netherlands emerges as a leader in security this year, with high usage of multi-factor authentication and the top Security Score
• Mobility: The ability to access passwords on mobile significantly improves the experience – and employee adoption
• Risk: Password reuse is still widespread, and contributes to lower Security Scores
• Initiatives: Internationally, increased regulations appear to be a driving factor in password security awareness, especially in EMEA and APAC
• Accountability: IT organizations must take responsibility for ongoing training and take proactive measures to eliminate risky password behaviors and improve company-wide Security Scores

 

The most concerning of all the study's findings is that password reuse and sharing is still a very common practice in most organizations, with their employees reusing a password an average of 13 times.

Out of all businesses that took part in this year's study, the employees of smaller orgs with fewer than 1,000 agents reused 10-14 passwords compared to only about four reused passwords in the case of larger businesses.

Hardware-based MFA is the way to go

To put things into perspective when talking about MFA, Director of Identity Security at Microsoft Alex Weinert said in an Azure Active Directory Identity Blog post that "your password doesn’t matter, but MFA does! Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA."

 

This month, Weinert also added that "use of anything beyond the password significantly increases the costs for attackers, which is why the rate of compromise of accounts using any type of MFA is less than 0.1% of the general population."

 

While Google also said in May that "simply adding a recovery phone number to your Google Account can block up to 100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks," the fact that "zero users that exclusively use security keys fell victim to targeted phishing during our investigation" shows just how much more effective hardware-based MFA actually is when compared to the SMS-based version for instance.

 

Microsoft and Google also provide easy to follow procedures on how to secure your accounts, with Microsoft having a support page on the five steps to secure your identity and Google having published a blog post about the five things to do to stay safe online.

 

Source