More companies use multi-factor authentication, but security still weak from poor password habits

Organizations spend a lot of time, money, and energy protecting themselves from hackers and cybercriminals. Much of that effort goes toward securing their networks, data, and other assets. But all that security can go only so far if your employees aren’t protecting their own logins, accounts, and information. Such tools like multi-factor authentication has gained traction, but the poor use and management of passwords remains a thorn in the side of security, says a report released Tuesday by LastPass.

SEE: Security awareness and training policy (TechRepublic Premium)

In an analysis of more than 47,000 organizations around the world that use LastPass for password management, LastPass found that 57% adopted multi-factor authentication (MFA), up 12 percentage points from last year’s report. Drilling down, 95% of employees who used MFA go through a software program such as a mobile app. Only 4% used a hardware solution, while just 1% used biometrics such as facial or fingerprint recognition.

Among employees using MFA with LastPass, LastPass Authenticator is the most popular option at 39%. Duo Security is the top choice among 31%, while Google Authenticator is most popular among 24% of respondents. Other choices included Yubikey at 4% and Microsoft Authentication at 1%.

Among businesses, those in the technology and software sector were most likely to adopt MFA for login authentication, with 37% of employees using it. The education sector is next with 33% of employees using it, followed by banking and financial with 32%. At the bottom of the list, the insurance and legal industries scored lowest for MFA implementation with only 20% of employees using it at each of the two industries.

The larger the organization, the greater the likelihood of using MFA. At businesses with more than 10,000 workers, 87% of the employees use MFA for login authentication. At businesses with 1,001 to 10,000 staffers, 78% of employees use MFA. At the lower end of the scale, companies with 26 to 100 workers have only 34% of employees who use MFA. And for businesses with up to 25 workers, only 27% use MFA.

Despite the increased adoption of MFA, the need for passwords is still a source of frustration and a persistent area of weakness in the face of other security measures. Much of that is due to the sheer number of passwords that workers must juggle, a burden that varies based on the size of the company. At large companies with 1,001 to 10,000 workers, where single sign-on methods may be more prevalent, the average employee must maintain around 25 passwords. But at smaller companies with 1 to 25 workers, where fewer authentication resources and technologies are available, the average employee must grapple with 85 different passwords.

The volume of passwords as well as other factors can lead to such tendencies as password sharing. Many departments and groups may own just one or two licenses for a service that several employees and external contractors must access. The one or two passwords set up and required to use this service may then get shared among all the parties involved, opening the door to security risks.

The need to juggle so many passwords also leads to password reuse. Employees easily rely on the same or similar passwords across multiple accounts, applications, services, and sites. A password that’s stolen or compromised for one account can then be used by a hacker to gain access to other accounts from the same user.

To help organizations better manage their login security and authentication, LastPass offers the following pieces of advice:

• Take access security seriously. Too often, we see businesses ignore password security altogether or only half-heartedly attempt to address it. When 80% of breaches are still linked to passwords, an investment in Single Sign-On and Enterprise Password Management is one of the most effective ways to reduce risks across the organization.
• Make a plan. Be thoughtful about the problems you’re trying to solve, the use cases you need to support, the features you require, and the solution you ultimately purchase. Understand what it will take to configure and deploy the solution. Create a detailed schedule for on-boarding employees and following up with those who are slow to adopt. Ensure that training for an access solution – including SSO and EPM features – is a part of your company’s new employee on-boarding and ongoing security education programs.
• Mandate the use of a password manager. If you want to proactively secure your company and enforce the use of stronger passwords, you need to strongly consider requiring usage of a password manager for storing, generating, and sharing passwords.
• Train, train, and train some more. Not only does training need to be a part of your original on-boarding plan, it needs to be an ongoing effort to encourage adoption and usage of security tools. Employees need to understand why they should use the tool, and how best to use it. They need to know how to generate new passwords and replace old ones that are weak or reused.
• Add multi-factor authentication. Adding multi-factor authentication to your deployment of an access solution provides an extra layer of protection against bad passwords.
• Regularly check your security score and keep tweaking your approach. When you first deploy an access solution, take note of your security score. Regularly check your scores and notice any trends that emerge. Consider creating a small group of people who are tasked with evaluating the success of implementation and try to keep improving security scores. Identify employees with low scores that need additional training.

To generate the report’s findings, LastPass anonymized and aggregated data from more than 47,000 organizations using LastPass. Though the data came only from LastPass users, the company said it feels that the conclusions are broad enough to apply to businesses at large.