Nok Nok and Enterprise Strategy Group today released the findings of a comprehensive survey on the state of passwords.

Nok Nok, a leader in passwordless authentication for the world’s largest organizations, and Enterprise Strategy Group (ESG), today released the findings of a comprehensive survey on the state of passwords. ESG surveyed over 350 IT, cybersecurity, and application development professionals responsible for identity and access management programs in North America. The results shed light on the challenges organizations continue to face using traditional authentication methods and the increasing interest in passwordless authentication as a more secure and user-friendly alternative.

With the availability of low cost cloud CPUs to crack passwords and the prevalence of known accounts/passwords, organizations recognize that passwords are not secure. The survey revealed that traditional authentication methods, such as passwords, are not effective in the face of evolving cyber threats. Moreover, legacy multifactor authentication (MFA) such as SMS, one time password (OTP) or email codes, has proven to be susceptible to social engineering and phishing attacks, while introducing user friction and degrading the user experience.

• 72% of organizations still use phishable MFA factors for their customer-facing applications. The cost and risk of lost or stolen data, business, and funds from compromised accounts is motivating organizations to make MFA mandatory for their customers. Unfortunately, they haven’t gone far enough and still rely on the weakest forms of phishable MFA: SMS and one-time email codes.
• 52% of organizations said eliminating customer passwords had a significant positive impact on revenue. In addition to the expected risk reduction that comes from deploying passwordless authentication for customer-facing apps, removing friction from passwords and MFA positively impacted revenue, customer productivity and satisfaction, and credential-based cybersecurity incidents.
• 76% of organizations experienced multiple account or credential compromises over the past 12 months. Organizations face a multitude of disparate attack vectors targeting weak authentication methods. Unfortunately, organizations are still not prepared to respond to account or credential compromise, and thus multiple incidents have become the norm.

The survey also highlighted the importance of passwordless authentication for customer-facing applications. Organizations understand the risks of account takeover attacks and the need to secure customer identities. However, a significant portion of customer identities are believed to continue to be insufficiently secured. To mitigate these risks, organizations are prioritizing customer authentication practices, with 36% of the respondents designating authentication as a critical activity.

“In the face of weak passwords and phishable legacy authentication solutions, the survey shows that customer passwordless authentication can deliver a host of security enhancements and increase the user experience,” said Jack Poller, Senior Analyst, ESG. “Benefits include reduced calls to help desk/IT for password resets and account lockouts, to increased customer productivity and satisfaction by eliminating the friction from passwords and MFA, as well as eligibility to obtain cyber-insurance or reduce rates.”

The findings of the survey indicate that organizations are actively investing in strong authentication, with passwordless authentication gaining traction. Passwordless authentication not only enhances security but also improves the user experience by eliminating the need to remember complex passwords and reducing the reliance on phishable MFA factors.

“This survey reveals that organizations are still relying on the most common, weakest methods of MFA, SMS, and one-time email codes, even when FIDO-based phishing resistant strong authentication is available,” said Phil Dunkelberger, CEO of Nok Nok. “Major platform vendors such as Google, Apple and Microsoft have all embraced FIDO standards and are rolling out passkeys for consumers. It is time enterprises do the same for their customer authentication.”