State of Authentication Report

April 2023

Start Report
Contents
Executive Summary 3

High Level Findings 6

Demographic Overview of Survey Respondents 7

Survey Findings
Authentication & Access Management Priorities 9
Current IdPs in Enterprises Today 12
Multiple IdPs Exist for Authentication & Access 13
Management

Perceptions of Traditional MFA 14

The State of Passwordless Technologies 17
Device Trust Technologies 20
The impact of Cyber Insurance on Authentication 21
& Access Management

About Arculix by SecureAuth 22

About VIB 23
Time to Kill Traditional MFAs

Executive Summary
SecureAuth’s inaugural State of Authentication report is based on a detailed research survey conducted
independently by ViB Research. The report is based on a survey of 285 IT and security professionals from mid to
large enterprises in North America. It provides insight into the current state of authentication and the latest innovation
adoption trends like invisible MFA, device trust, and passwordless technologies.

Authentication Security is Top Priority

Authentication has become one of the top priorities with 84% of the respondents, placing authentication and access
management in their top 3 to 5 cyber security priorities. Another 11% placed it in their top 10.

Traditional MFA is Popular, but Susceptible to Attacks

While credential related attacks continue to be the top vector for cyberattacks, the research showed that most
companies are still stuck in the world of legacy MFAs. However, it was reassuring to see that most respondents have
MFA practices in place instead of using simple passwords. Despite the prevalence of traditional MFA, respondents do
have many security-related concerns about traditional or “legacy” MFA, including:

• Over half think the technology is susceptible to cyberattacks. Twenty one percent feel traditional MFA cannot be
used as an effective hacker deterrent because adoption rates are too low in operational terms.

03 State of Identity Report

Executive Summary

• Most respondents have little confidence in using traditional MFAs to thwart credential related cyberattacks. When asked,
“Given that most attacks occur through credentials, how confident are you that traditional MFA is enough to thwart attacks?”
only 5% are very confident with another 40% somewhat confident. Not a strong vote of confidence for traditional MFAs.

• Traditional MFA has users authenticate using verification factors like one-time passwords (OTPs) and personal identification
numbers (PINs) transmitted over SMS text messages, emails or phone calls. While these MFA techniques were considered
revolutionary when they debuted in the late 1990s, they are increasingly viewed as “better than nothing,” but problematic from a
security perspective. Most respondents picked One-Time-Passwords or OTPs with 38% selecting that as one of the methods. The
next most popular passwordless technologies were PINs (27%) and biometrics, which was tied with security keys at 26%.

Given the weaknesses associated with traditional MFAs that are easily exploitable with “MFA bombing”, “man-in-the-middle” and other attacks,
it’s time to kill the traditional MFAs and move on to passwordless technologies that not only enhance security but also provide a much smoother user
experience.

Passwordless Adoption Becoming Reality

The idea of authenticating users and managing access without passwords is a dream for IT and security professionals. As one respondent put it, “Passwordless
security is the future and we believe we should be moving toward this goal.”. The good news is that most respondents are looking to move to a passwordless
world as quickly as possible. A whopping 65% are planning on implementing passwordless technologies in the next 24 months. Nearly a third are planning to do
so in the next six months, and another third are looking at the 12-24 month horizon. The survey asked respondents to explain what was standing their way. The
top reason was having too many competing priorities (55%), followed by not knowing enough about the technology (46%), and lack of budget (24%). As more
security professionals are getting educated on the importance of passwordless authentication especially when executed on a continuous basis, there seems to
be a big momentum towards this type of solution.

04 State of Identity Report

Executive Summary

Surprising Finding: 76% of Respondents Use More than One IdP

Some surprising results showed that many enterprises use multiple IdP products, a trend that bucks the usual consolidation
of cyber security tools. 76% of respondents use more than one IdP in their organization. They reported this redundancy due to
failover, use case requirements, and preferred best of breed approach reasons. As over 80% of cyberattacks focus on credentials,
it makes sense that practitioners need to have a back-up system in case their primary IdP product goes down or is compromised by
an attack.

Device Trust: Woefully Underused

Further to the challenges in managing people external to the organization, the survey probed respondents on where they had implemented
device trust technologies. As threats grow more sophisticated and legacy forms of access grow become more deficient, security managers
have recognized that establishing trust with a user’s device is critical to preserving a strong security posture. Hackers can easily impersonate
legitimate users with stolen credentials, so it is the user’s device that becomes a critical element in authentication. Indeed, without device trust, an
attacker can penetrate an MFA control before the login stage. Device trust technologies track characteristics of a device that are unique to the user. These
might include factors like geolocation and keystrokes or even patterns of movement. That way, if a user who lives in Dallas seems to be logging in from Berlin, a
device trust solution will block the log in and issue an alert. An attack is most likely underway, unless the user has actually gone to Berlin. Unfortunately, device
trust isn’t used at all according to 25% of the respondents. And under half use it for mobile security and only 25% use it for Mac workstation safeguarding. It’s
an area where organizations can make great strides in shoring up their security posture by adding this valuable technology.

Conclusion
The majority of respondents realize that although traditional MFA is better than nothing, it’s susceptible to cyberattacks and causes too much friction for users.
The only way forward is to move towards a passwordless continuous authentication platform that powers a next generation version of MFA: invisible MFA. This
will enable a strong security posture and Zero Trust Architecture while providing a frictionless user experience.

05 State of Identity Report


84%
Authentication Priority
Authentication and access management
are significant areas of focus, with 84% of
respondents placing it among their top 3 or 5
priorities for 2023.
> 50%
Cyber Insurance Trends
Cyber insurance carriers are beginning to
mandate the use of new MFA technologies.
However, over half of respondents are not sure or
are concerned that they will lose their coverage if
they continue with traditional MFA.
06 State of Identity Report
High Level Findings
76%
Multiple IdPs
The vast majority of enterprises (76%) reported using
multiple identity platforms (IdPs), a situation that –
despite high costs and administrative complexity
– is a necessary evil to allow for failover, use case
requirements, and product innovation.  
40%
28%
26%
Lack of Device Trust
Device trust is woefully under-used throughout
organizations, as only 40% of mobile devices and
28% of Mac workstations are enabled, with a
whopping 26% claiming not to use device trust at
all. This leaves enterprises vulnerable to attack as a
user’s digital journey always begins with a device.
55%
Traditional MFA is Dead
Respondents are concerned about security
risks associated with traditional MFA, with 55%
worried that relying on SMS texts and phone calls
makes them susceptible to cyberattacks.
65%
Passwordless Being Embraced
The majority of enterprises (65%) plan to adopt
passwordless technologies in the next 24
months. Lack of budget, fewer resources, and
conflicting priorities hinder faster progress.
Demographic Overview of Survey Respondents

40+25+2312
Demographic Overview​ Company Size
This report is based on a survey of 285 security and IT professionals working
across a range of industries in North America. Overall, we see an even distribution of
respondents across company size, titles, and industries. 12%

Company Size 40%

40% of the respondents work in organizations with over 15,000 employees, while 12% 23%
work at companies with 10,000-14,999 employees. 25% are at companies with between
5,000 and 9,000 employees, and 23% represent firms with 2,000-4,999 employees.

25%
Titles
C-level and VP titles accounted for 21% of the respondents, with 20% being directors. IT
Managers (26%) and Security Managers (28%) rounded out the audience.
40% 23%
15,000+ employees 2,000-4,999 employees
Industry
We had a diverse breakdown of verticals including 20% work in the technology industry, 16% in 25% 12%
healthcare, 13% in manufacturing, and 11% in finance. 5,000-9,999 employees 10,000-14,999 employees

07 State of Identity Report

Industry Titles
Technology 20%
Security Manager 28%
Healthcare 16%
Manufacturing 13%
Finance 11% IT Manager 26%
Retail 8%
Other 8%
C Level and VP 21%
Telecommunications 6%

Insurance 6%
Gov (state/local) 4% Director 20%
Utilities 3%
Media 2%
Other 5%
Transportation 2%
EDU K-12 1%

08 State of Identity Report

 84+11+5
Authentication & Access Management

Authentication Tops Cyber Security 5%

Priority List
According to the Cyber Resilient Organization Report, 11%
organizations typically deploy 45 cybersecurity tools to protect
their environments from attack. That’s a lot of software and
budget dollars.  ​

When asked what their top cyber security priority was,

authentication emerged in the in the top 3 or top 5 for
84% of respondents. This top 3-5 priority is for all cyber
security products, not just ones in IAM (identity and access 84%
management).  ​ 84%
Top 3 to 5
Another 11% placed it in their top 10. A mere 5% put them in the
top 20. ​ 11%
Top 10
These results demonstrate the importance of authentication
and access management for IT and security teams in an 5% 84% Consider Authentication & Access
extremely crowded market and threat landscape. Top 20 Management a Top 3 or 5 Priority

09 State of Identity Report

Next Generation Authentication What are your authentication priorities for 2023?
Technologies are Priority
In terms of specific priorities within authentication
38% Invisible MFA
for 2023, the biggest item on the agenda appeared
to be single sign on (SSO), referenced by 45% of
84% 35% Continuous Authentication
respondents as a priority. ​ 25% Passwordless

​However, intelligent/phishing-resistant MFA and risk-

based continuous authentication, which are more
modern alternatives to traditional MFA, garnered
38% and 25%, respectively. ​
45%

38%
​When combined with passwordless technologies, 35% 36%
at 25%, 84% of respondents appear to be looking
29%

Continuous Authentication
beyond traditional authentication technologies in 25%
23%
the near future.

None of the above

All of the Above

Traditional MFA
Passwordless
Invisible MFA
2%

SSO

2FA
10 State of Identity Report
Workforce and Contractors Lead Authentication Use Cases
Survey respondents use authentication solutions for a range of purposes. Workforce access
management was the top choice, with 80% of respondents saying this was one of their
use cases. Over a quarter use an authentication solution for customer identity and access
management (CIAM), while nearly two thirds put authentication solutions to work managing
access for contractors and vendors. ​

80% 64% 27% 3%

Contractors/
Workforce CIAM Other
Vendors

An overwhelming majority are still in need of a workforce solution

11 State of Identity Report

Current IdPs in Enterprises Today

Variety of Authentication Products Are Used

When asked what identity provider products they use, 54% of respondents indicated Microsoft E3
and E5. The next most popular was Okta (41%), followed by Ping Identity (24%) and SecureAuth
(12%). The predominance of Microsoft is not surprising, given the pervasiveness of Windows in the
corporate world. However, an issue arises when one considers that a separate question in the survey
found that 28% of respondents appear to have Mac computers, which are not optimally protected
by Microsoft security products.

6%

54% 41% 24% 12%

7% 13%
Microsoft OKTA Ping Identity SecureAuth

3%
54% 41% 24% 12%
Microsoft E3 / E5 OKTA Ping Identity SecureAuth / Arculix

7% 6% 3% 13%
ForgeRock Transmit Security HYPR Other(s)

12 State of Identity Report

 Multiple IdPs Exist for Authentication

76% of Enterprises Use Multiple IdPs Why do you have multiple IdPs for authentication
and access management?
Some surprising results showed that many enterprises use
multiple IdP products, a trend that bucks the usual consolidation
of cyber security tools. 76% of respondents use more than Specific Use Cases
(i.e. Mac Users) 33%
one IdP in their organization. They reported this redundancy
due to failover, use case requirements, and preferred best of
breed approach reasons. As over 80% of cyberattacks focus
Best of Breed Approach 22%
on credentials, it makes sense that practitioners need to have a
back-up system in case their primary IdP product goes down or is
compromised by an attack. Failover 21%

M&A reasons 21%

N/A we only have 1 IdP 23%

“Security is almost 100% immune from cost
cutting since there are so many risks and the bad
guys get more sophisticated every day.”
- A Survey Respondent

13 State of Identity Report

Perceptions of Traditional MFA

Majority Have Deployed Traditional MFA What percentage of your organization has deployed
traditional MFA?
Traditional MFA has users authenticate themselves using verification
factors like one-time passwords (OTPs) and personal identification
Over 75%
numbers (PINs) transmitted over SMS text messages, emails or phone
17%
calls. While these MFA techniques were considered revolutionary when 51-75%

they debuted in the late 1990s, they are increasingly viewed as “better
26-50%
than nothing,” but problematic from a security perspective. There have
been enough troubling incidents that IT and security professionals 6-25%

view traditional MFA as deficient—a technology that must be upgraded

0-5% 52% 16%
to next-gen secure methods such as passwordless continuous
authentication solutions driven by a behavior -based risk engine. In
addition to the weaknesses in traditional MFAs from security point of
view, they add a lot of friction for users causing productivity issues. ​

14%
While traditional MFAs are vulnerable, they are better than simple
passwords that are super easy to crack. So, it’s good to see that a lot 3%

of companies have at least adopted the MFA technology. Over 50% of

respondents say that 75%+ of their organizations have deployed MFA. “Traditional MFA can easily be bypassed by
attackers. It’s important to augment with
A further 15% have deployed MFA in 51-75%. Only 4% have MFA in less
behavioral or device posture solutions.”
than 5% of their organizations.   - A Survey Respondent

14 State of Identity Report

Traditional MFA Methods are Prone to Attack & Cause User Friction
The prevalence of traditional MFA notwithstanding, respondents do have many security-related concerns about
traditional or “legacy” MFA. Over half think the technology is susceptible to cyberattacks. Twenty one percent feel
traditional MFA cannot be used as an effective hacker deterrent because adoption rates are too low. In operational terms. ​

Within these respondents, interestingly Insurance companies were the most concerned about weakness of these
methods against hackers, followed closely by Finance, Healthcare, Retail, and Technology companies. ​

Besides lack of protection against cyberattacks, friction for

users is another big issue. 27% of respondents
say that traditional MFA causes too 54%
much friction with users. Is susceptible to cyberattacks

30%
Causes too much user friction

Do you believe traditional 21%

Can’t be used as an effective hacker deterrent because rates of user adoption are too low
MFA with sms/phone/kba type of
16%
authentication does the following? Is too difficult to deploy

15%
Doesn’t comply with cyber insurance carrier requirements
6%
Other

15 State of Identity Report

Respondents Not Confident that How confident are you that traditional MFA is
Traditional MFA Can Thwart Attacks enough to thwart attacks?

40% 55% are not

Most of the respondents lack confidence in using traditional
MFAs to thwart credential related cyberattacks. When asked 35% confident in
on their confidence level, only 5% are very confident with traditional
another 40% somewhat confident. Not a strong vote of MFA
confidence for traditional MFAs.

Despite MFA technologies being widely deployed, confidence 20%

in using these solutions to help protect the infrastructure
is not very high. Not surprisingly, most companies having
started initiatives to move away from traditional MFAs to
phishing resistant technologies including invisible MFA,
passwordless authentication, and other solutions.
3% 2%

Somewhat Somewhat Neither Not at all Very

confident not confident confident nor confident confident
not confident

16 State of Identity Report

The State of Passwordless Technologies

For Respondents Adopting Which of the following

Passwordless Technologies, technologies you are using
achieve your passwordless goals?
Most Methods Used are
Vulnerable to Attack 18%
OTP Token

14%
In terms of passwordless technology, companies Biometrics
are using various different types of technologies for 14%
Security Key
authentication. ​
14%
PIN
​Most respondents picked One-Time-Passwords or 8%
Zero Factor Authentication
OTPs with 38% selecting that as one of the methods.
8%
The next most popular passwordless technologies Other
were PINs (27%) and biometrics, which was tied 7%
SmartCard
with security keys at 26%. Respondents showed a
7%
preference for proven, tangible passwordless solutions Windows Hello for Business
like PINs and OTPs over newer, more subjective 5%
approaches like biometrics and knowledge factors. Knowledge Factors

Unfortunately, many of these including biometrics are 3%

Behavioral Biometrics
vulnerable with hackers using various techniques to
2%
intercept or replicate users’ credentials. End User as a proxy

17 State of Identity Report

If not using passwordless technologies,
what has held you back from adopting​?
55%
Too many competing security priorities
Passwordless Adoption Hindered by Competing
Priorities, Lack of Knowledge and Budget
The idea of authenticating users and managing access without passwords is a
dream for some in the IT and security fields. ​

For respondents, while the vision of using next-gen authentication solution to rid
46%
the world of passwords is appealing, the reality is a bit daunting.​
We don’t know enough about passwordless technologies

The survey asked respondents to explain what was standing their way. The top
24% reason was having too many competing priorities (55%), followed by not knowing
We don’t have the budget for passwordless technologies enough about the technology (46%), and lack of budget (24%). ​

4% As more security professionals are getting educated on the importance of

passwordless authentication especially when executed on a continuous basis,
Other
there seems to be a big momentum towards this type of solution. ​

“Passwordless security is the future and

we believe we should be moving toward this goal.”
- A Survey Respondent

10 Title
18 Stateof Report
of Identity Report
65% Plan on Adopting Passwordless Technologies If you don’t already
in the next 2 Years use passwordless technologies,
what are your plans for adopting them?  
It was very encouraging to see that most organizations are planning on implementing
passwordless technologies. Only 15% of the respondents are not ever planning on
adopting passwordless technologies. ​
33%

A whopping 65% are planning on implementing passwordless technologies

in the next 24 months. Nearly a third are planning to do so in the next 32%
six months, and another third are looking at the 12-24 month horizon.
Within the next 12-14 months
In IT terms, that is also a fairly immediate plan, especially in large 20%
organizations. ​

Within the next 6-12 months

15%
Looking at specific industries, Technology companies led
the group for adoption in 6-12 months followed closely by
Government, Manufacturing, Finance, and Insurance. ​

More than 24 months in the future

Although passwordless is a good step, organizations need to
look at the next level of the maturity curve with continuous
authentication with invisible MFA to eliminate friction and
We do not plan to adopt passwordless
significantly enhance security. technologies

19 State of Identity Report

Device Trust Technologies

Where have your implemented Device Trust Device Trust Woefully Underused to Aid
technologies in your organization? in Credential Attacks
61% To implement an effective continuous authentication process,
All Windows workstations (laptops & desktops) it’s important to have Device Trust on end points. Device trust
technologies track characteristics of a device that are unique to the
40%
user.​
All mobile devices
60%

28% The survey probed respondents on where they had implemented

All Mac workstations (laptops & desktops) device trust technologies. As threats grow more sophisticated
27% and legacy forms of access grow become more deficient, security
All servers managers have recognized that establishing trust with a user’s device
is critical to preserving a strong security posture. Without device trust,
26%
an attacker can penetrate an MFA control before the sign in stage.  ​
None of the above

Over six in ten respondents have implemented device trust for

Macs and mobile devices
all Windows workstations. Four in ten have done so for all mobile
are most susceptible to devices. Twenty-eight percent have device trust for Mac workstations,
hacker attacks and 27% have it for all servers. The discrepancy between device
trust for Windows versus Mac highlights a difficulty facing security
managers.

20 State of Identity Report

The impact of Cyber Insurance on Authentication

Cyber Insurance is a Priority Is Cyber Insurance a priority?

Cyber insurance is a high priority for respondents. Asked, “Is cyber insurance a
priority for you? (i.e., do you need to purchase/renew it for your organization?)” 59%
61%
said “yes.” Only 17% said “no,” while 24% said were “not sure.” This is not a surprising Yes
result. Most businesses are intent on reducing residual cyber risk, and insurance is an
effective way to achieve this outcome. ​ 23%
I’m not sure

However, getting the right kind of cyber insurance coverage, and the best rates, 16%
requires adhering to a range of parameters specified by the carrier. Overall, No
cyber insurance is getting increasingly expensive while providing less coverage.
Organizations that want good coverage and low premiums will need to demonstrate
strong controls over authentication and access. This will almost certainly mean the 61%
adoption of the latest innovative MFA technologies.   ​

If a carrier deems a prospective policy holder to be deficient in its authentication and 16%
access management capabilities, it may deny coverage or insist that the customer
improve its authentication and access management before they will underwrite
the policy. Indeed, some cyber insurance carriers are starting to mandate that
policy holders replace traditional MFA with more advanced and secure techniques, 23%
such as device trust-based invisible MFA, behavioral methods, and passwordless
technologies.

21 State of Identity Report

About Arculix by SecureAuth
Arculix by SecureAuth is purpose-built for authentication and powered by a data science approach to security. Its risk-based continuous
authentication platform enables invisible MFA, device trust, and passwordless innovation for strengthened security, massive cost savings, and
improved UX. It ensures the most secure digital experience for everyone, everywhere. ​

How is Arculix Different?

Rollout advanced passwordless & invisible MFA quickly
Simple rollout of FIDO authentication and QR-code initiated login

Continuously monitor users and devices

Using patented AI/ML, the risk engine monitors hundreds of variables including peer
group behavioral modeling, time, location, etc. to calculate if an access attempt is
legitimate via invisible MFA

Fewer MFA prompts using Universal Authentication

Take action only when risk demands it, based on user and device posture pre, Get Your Custom ROI Report
during, and post-authorization

Shift your security “left” by establishing the root of trust at

device login where the user journey begins. ​ Request a Demo

22 State of Identity Report

About ViB Research
This vendor-neutral research study was independently conducted by ViB (Virtual
Intelligence Briefing) Research.​

Respondents are precisely screened and targeted from ViB’s community of more
than 10M technology practitioners and decision makers who share their opinions by
engaging in high quality surveys across IT domains including Identity Management. ​

ViB’s best-in-class survey design and analysis methodology is designed to deliver

accurate insights from engaged community members who are motivated to share their
experiences for the community’s greater good.​

The Effective Margin of ErrorTM is estimated to be +/- 3.7%. Learn more about ViB’s
research capabilities at​

https://vibriefing.news/services/market-research/ ​

23 State of Identity Report