Organizations around the world — including in Canada — are increasingly adopting multifactor authentication (MFA) to improve their cybersecurity posture, a new report from Cisco Systems suggests.
The numbers, which come from an analysis of the use of Cisco’s Duo MFA platform, show authentications through Duo were up almost 15 per cent in the U.S. this year over 2021, almost 24 per cent in the U.K., and almost 25 per cent in Canada.
“We have moved well beyond the discussions of password complexity to those where investing in multi-factor authentication (MFA) and passwordless technology are mandatory costs of doing business,” Cisco concluded in a report analyzing the data.
In an interview, Dave Lewis, global advisory chief information security officer (CISO) at Cisco Canada, noted there was a 50 per cent increase in the percentage of accounts allowing passwordless WebAuthn authentication among Duo users, part of a fivefold increase in WebAuthn usage since April 2019.
“This is a very good thing to see because it [WebAuthn] is a root piece of passwordless technology.”
On the other hand, he was disappointed that the use of biometrics on smartphones for logins among Duo users “have sort of plateaued“ at 81 per cent. He suspects that’s because in the first years of the pandemic — 2020 and 2021 — IT leaders rushed to get employees working online from home without always taking security procedures into account.
Evidence of that is remote access authentications on Duo peaked in 2020 but have declined since then, reaching lower than pre-pandemic levels.
“I‘m very optimistic that next year when we run through the data we’ll see the number has climbed,” Lewis said.
The analyzed data from more than 13 billion authentications on Duo, from over 49 million devices worldwide, between June 1, 2021 and May 31, 2022.
Among other findings
-less than 1 per cent of organizations using Duo implement explicit deny or allow location policies. However, among those enterprises that do deny geographic locations, they block either Russia or China 91 per cent of the time. Sixty-three per cent block both countries;
–the percentage of login authentication failures due to devices with out-of-date applications increased by almost 52 per cent between 2021 and 2022, despite the fact that the percentage of Duo users with policies governing out-of-date devices decreased 7.1 per cent.
–users in the education sector again had the highest number of out-of-date browsers on their devices (56.7 per cent), followed by healthcare (52.3 per cent), retail/catering/leisure (46.3 per cent), legal (45.4 per cent), and travel/transport (44 per cent).
“Lingering security debt that remains in organizations will continue to provide adversaries with targets of opportunity,” the report notes. “Companies need to hone their craft and better focus on access control and dealing with deprecated systems that may continue to operate in their environments long past their life expectancy. Patching has been much maligned by security practitioners over the years — not because it shouldn’t be done, but rather because no one ever wants to do it. As a result, issues crop up, with long‑published vulnerabilities being made into exploits that realistically should not hold any sway in modern enterprises. Yet, they wait on the wire.
“Making use of multi-factor authentication and/or passwordless authentication models are essential for the modern business enterprise.”