Multi-factor authentication (MFA) is an approach to authenticating and verifying user identity using at least one method of authentication. It is, in essence, a security measure that acts as an extra layer of defense, preventing illegitimate users from accessing sensitive resources. MFA requires users to confirm their identity to prove that they are who they say they are. MFA is an important tool in securing user identities and is often regarded as a critical component of any company’s identity and access management policy.
Once a user has entered their credentials, MFA solutions may request for the user to complete additional authentication steps before they are granted access. Common authentication factors (ways of authenticating identity) include one-time passcodes delivered by an authenticator app, answering a security question, or completing a biometric scan using factial recognition or a fingerprint.
While an attacker may be able to guess (through social engineering or brute force) or steal credentials, it is significantly more difficult to steal and input biometric data or OTPs from an app. This prevents attackers from accessing a user’s account. MFA significantly enhances security and can help prevent account takeover incidents, breaches, data losses, and other account threats.
Stolen credentials are frequently listed a main cause of security and account breaches. MFA, password management, and identity and access management tools can effectively secure your accounts.
We’ve compiled some recent statistics from a range of major and influential cybersecurity sources to empower you to make smarter decisions regarding MFA and your organization.
Multi-factor authentication and two-factor authentication are part of a wider approach to cybersecurity known as zero trust. This is a security framework that uses a “trust no one” philosophy. It requires all network users, internal and external, to be authenticated and authorized continuously, rather than giving the benefit of the doubt. MFA and 2FA are key tools for organizations looking to implement zero trust security.
Multi-Factor Authentication Statistics
According to LastPass, in 2019 57% of businesses globally used MFA–a 12% increase from the previous year. Use of 2FA has increased by 51% from 2017 to 2021. Adroit Market Research predicts that by 2025, MFA will have a $20 billion market share. However, there is still room for improvement and not every company has been quick to adopt MFA and 2FA.
The Global Small Business Multi-Factor Authentication (MFA) Study, conducted by the Cyber Readiness Institute, found that 54% of small to medium sized businesses (SMBs) do not implement MFA for their business and only 28% of SMBs actually require MFA to be implemented. Okta’s recent Secure Sign-In Trends Report found that highly regulated industries and large-scale enterprises actually lagged behind in MFA adoption.
And for those who have adopted MFA, what has the impact been and what does it look like?
The Okta Secure Sign-In Trends Report also revealed that push notifications were the most widely used MFA factor, followed by SMS notifications and soft tokens. The technology industry was the most likely to adopt MFA or 2FA, at 87% of organizations, while the least likely were the transportation and warehouse industries, where MFA adoption was only 39%. Admins also adopted MFA at a higer rate than non-admins users.
It can be hard to judge the effectiveness of MFA in comparison with other security tools. In 2019, Google claimed that simply adding your mobile phone to your Google account for additional verification helped in blocking up to 100% of automated bots, 66% of targeted attacks, and up to 99% of bulk phishing attacks. The MFA approach requires users to give additional proof that the user is who they say they are when Google detects a suspicious sign-in attempt.
To understand the importance of MFA–and the problems that arise when it’s not implemented–it’s worth considering contextual information surrounding companies, breaches, credential theft and improper use. The following statistics help to contextualise and inform you of the statistics surrounding MFA and its implementation.
External actors were responsible for 83% of breaches in 2023
According to Verizon’s 2023 Data Breach Investigations Report, external threat actors and hackers were responsible for the majority of breaches this year, clocking in at 83%. These threat actors rely on a variety of tactics and techniques to access a network, including phishing communication, brute force attacks, and Trojans malware. Another key way that hackers can gain access to your network is through leveraging stolen credentials.
The remainder of breaches during this time period—almost 1 in 5—were caused by internal actors. Many of these breaches are caused by internal actors with financial motives, or because they hold a grudges against the company. Alternatively, it could be because the individual subscribes to a different view or politics than their employer – this could encompass climate related activities, for instance. Equally, many instances of insider caused breach are due to error or mistakes.
74% of all breaches included a human element
In the same Verizon 2023 Data Breach Investigations Report, it was revealed that 74% of all reported breaches had a human element as either the total or part reason for the breach. “Human element” can refer to a range of scenarios – ultimately, it comes down to humans being responsible for a vulnerability, either knowingly or unknowingly. This can include privilege misuse, stolen credentials, social engineering attacks, or genuine human error.
61% of all breaches involve credentials
Again, the Verizon report also revealed that 61% of all breaches exploited user credentials and that 50% of these breaches were directly caused by stolen credentials. These credentials may have been stolen through social engineering attacks (like phishing and imitation websites where users can enter their login details) or from being hacked using brute force.
In some cases, attackers will use harvesting malware which can pull credentials from files and caches. It’s clear that credentials and credential theft continues to be a major problem, leading to an increased interest in password managers and security training in recent years.
Stolen credentials can allow attackers unfettered access to a user’s files, the company network, data, and every connected account. Once they have gained access to your account, threat actors can steal data, cause a wider breach, make a lateral movement to compromise a more privileged users, and cause network disruption.
In order to prevent this host of issues, MFA can help to stop accounts being compromised in the first place. While an attacker may still be able to steal your credentials, they will not be able to gain access unless they pass the MFA checks.
The majority of cloud data breaches have been associated with access
According to Ermetic’s State of Cloud Security 2021 report, 83% of organizations have reported that at least one of the cloud data breaches they were victim of were related to access. In the Ermetic State of Cloud Security Maturity report, it was also noted that 52% of all organizations assessed lacked visibility into the network resources a user can access and the level of permissions they have.
Ermetic’s State of Cloud Security 2021 report also reveals that the majority of respondents noted that identity and access management permission errors were one of their biggest concerns. Permission errors were the third highest cloud security threat, with the positions one and two going to misconfigurations and lack of visibility into access settings and activities respectively. Without comprehensive insight into permissions and access settings, companies are vulnerable to exploitation. MFA is a key method in ensuring access is properly managed and security is maintained.
Accidental exposure of credentials is a major concern for cloud security
In 2021, a survey of major cloud security concerns was conducted by Statista. It was found that 44% of companies asked had a major concern that they would experience an accidental exposure of credentials. This was the third biggest concern, followed by data privacy and confidentiality at 66% and data loss or leakage at 69%.
Credential exposure can create further problems if organizations don’t have strong identity and access management solutions in place to combat any instances of attackers trying to access and use company user accounts. Again, MFA can play an instrumental part in preventing attackers at the point of sign in.
Financial reasons are the primary motivator for attacks
Money is what makes the criminal world go round and cybercrime is no exception. In Verizon’s 2023 report, it was revealed that the primary motivation for attacks were financial – 95% of all reported breaches in the past year were driven by financial factors.
The average cost of a data breach is USD 4.35 million
In IBM and Ponemon Institute’s Cost of a Data Breach report from 2022, several key findings highlighted the devastating financial impact of a successful data breach. They revealed that the average total cost of a data breach came in at an eye-watering USD 4.35 million and that 83% of organizations have had more than one breach in the past year. They also uncovered that of companies that experienced a successful breach, 19% of these breaches had occurred a compromised business partner. This means that an attack on a third-party supplier or partner company had a direct effect on the original organization.
The Ponemon Institute report also explained that breaches caused by stolen or compromised credentials totalled an average cost of USD 4.50 million. These breaches also tended to have the longest lifecycle. On average, it took 243 days for staff to be able to identify the breach, and then a further 84 days to contain the breach.
In 2022, it took teams an average of 207 days to identify the breach and then a further 70 to be able to contain it. This extra time can make a difference in mitigating damage and preventing data losses. It’s simple, shorter data breaches results in lower data breach costs. With stolen or compromised credentials, attackers can stay under the radar for a lot longer than had they accessed the network via brute force. Account compromise can often go unnoticed–especially for inactive accounts of former users.
Furthering on from this, the average cost of a data breach for critical infrastructure organizations was USD 4.82 million, which is $1 million more than the average cost for companies in other industries. “Critical organizations” are companies that operate in the financial, industrial, energy, communication, healthcare, public sector, education, technology, and transport industries. Of these critical companies, 79% didn’t deploy a zero-trust architecture and 17% had experienced a breach as a result of a business partner being compromised.
Nearly 80% of organizations that have experienced a breach did not employ a zero-trust architecture. This is a particularly telling statistic. Without a zero-trust approach to continuously verify and authenticate users, attackers can leverage credentials, takeovers accounts, and make lateral movements within a network.
One of the top security related cloud threats is account compromise
While the global migration to the cloud offers a range of benefits and opportunities, moving your business operations to the cloud is not without its security problems and downsides. These include problems surrounding identities, access, and credentials. Maintaining cloud security and managing identities has become more of important than ever before – 76% of enterprises using two or more cloud providers. In the past year, 45% of all breaches were cloud-based.
In CheckPoint’s 2022 Cloud Security Report, one of their key findings was that there has been an increase in public cloud security incidents. The figure sits at 27% of organizations being affected, an increase of 10% from the preceding year. Of this total, 15% of these incidents were caused by instances of account compromise and a further 15% from users exposing data, alongside more complex reasons such as misconfigurations.
Password hygiene and best practices continue to fall short
A chain is only as stronger as its weakest link and, apparently, a company’s security is no stronger than the “qwerty” password one of their employees uses.
Credentials have always been a difficult things for organizations to manage. While employers can stress the importance of good password hygiene and implement password managers within their organizations, maintaining password security can be difficult. The most common passwords in 2023 remain “123456”, “123456789”, “qwerty”, “password”, and “12345”. Users also continue to manage passwords unsafely – often leaving them on scraps of paper, storing them in easily accessible files, or sending passwords via text or email.
The 2021 Workplace Password Malpractice Report has found that password misuse and malpractice continues to be a problem even with improved awareness and more widespread training. The report revealed that over half of the respondents (57%) admitted to writing their passwords for work accounts on sticky notes, with 67% of this figure admitting to having lost these notes at some point. 62% also said they stored their login credentials in notebooks and 82% of this group said that they leave these notebooks next to their work devices, where they can be in plain view and easily accessed.
In the same report, 49% of respondents said they save passwords for work-related accounts in documents stored in the cloud and 51% said that they saved passwords in a document that was saved to their computer. An additional 55% also confessed to saving passwords on their mobile phone.
These statistics highlight how easily passwords can be compromised and stolen. Through implementing MFA, you retain a level of security, even when account credentials are stolen.
While we may hear more about password hygiene, the statistics show that we need to be better. It can be difficult to break habits and apparently even more difficult to end our love affair with terrible passwords. MFA can act as an obstacle between an attacker gaining credentials and actually getting access to your accounts.
No single attack, attacker, or motives are the same. However, from the statistics detailed in this article, it is clear that stolen credentials, account takeover, and impersonation tactics continue to be one of the largest contributors security and data breaches. MFA, bolstered by other identity and access management solutions, can be highly beneficial in preventing and mitigating these breaches.
This isn’t to say that tools like password managers and security measures like security awareness training aren’t important – because they are. But it’s clear that credentials are a highly sought-after pieces of information. Maintaining password and account security should, therefore, be a priority for all organizations wanting to protect their accounts and data. MFA can act as an essential barrier when attackers have made the first step in an attack lifecycle and obtained login credentials.