Enzoic Study Finds Passwordless Authentication Failing to Gain Traction

Only 12% of organizations rely on this approach, with 70% still utilizing passwords

BOULDER, Colo.--()--Despite authentication being a cornerstone of cybersecurity, strategies to mitigate the risks remain stuck in the dark ages, according to new research from Enzoic, a leading provider of threat intelligence solutions. The study, conducted by CyberSecurity Insiders, surveyed 483 cybersecurity professionals in the US from various industry sectors to understand the current state of authentication security.

With the attack surface expanding and the increasing sophistication of cyber threats, organizations are struggling to deliver secure and user-friendly authentication. The research uncovered that despite the emergence of modern strategies, most companies still rely on traditional approaches. And many are failing to adhere to best practices for password management, which is leaving them exposed as compromised credentials are behind more than 50% of breaches, according to the DBIR.

“Authentication strategies are firmly in cybercriminals’ crosshairs," said Michael Greene, CEO of Enzoic. "Despite this recognized vulnerability, enterprises continue to deploy archaic strategies that fail to eliminate authentication mechanisms as a threat vector. The much-hyped passwordless future is not on the horizon anytime soon for most organizations, so it's vital to adopt modern and robust password policies that don't add friction for users.”

Key findings include:

Passwordless Reality

  • Only 12% of companies rely on passwordless strategies, with 68% primarily utilizing usernames and passwords for authentication.
  • 46% are looking to phase out passwords in the next three years.
  • However, 19% have no plans, reflecting that despite problems, passwords remain an important authentication mechanism.

Dark Web Dilemma
The vast majority (84%) are concerned about weak and compromised passwords. However, many remain in the dark about the risks they face.

  • 46% think that 1/5 of their passwords could be on the Dark Web
  • 26% are unsure if their organization's passwords can be found on the Dark Web
  • 56% have encountered issues with MFA, such as usability or compatibility

Cyberattack Spurs Action
However, once a business suffers an authentication-related cyberattack, this is often the impetus to shore up defenses. Following an attack:

  • 38% conduct regular security audits and vulnerability assessments
  • 28% implement MFA
  • 30% strengthen password policies
  • 26% educate users
  • However, 10% make no changes after an attack occurs!

Password Best Practice Knowledge Gap
Despite password best practices guidance published by NIST in 2017, 54% of organizations only learned about the framework in the last 12 months, and a staggering 33% are still unaware. This is reflected by 74% of companies still relying on periodic password resets and outdated character rules. The direct consequence of this knowledge gap is that password strategies remain outdated, increasing the likelihood of an attack.

“It’s imperative that companies see past the passwordless hype and take action today to strengthen credential security,” Greene elaborated.

Download the State of Authentication Report here.

About Enzoic
Enzoic is an enterprise-focused cybersecurity company committed to preventing account takeover and fraud through threat intelligence monitoring. Organizations can use Enzoic solutions to screen customer and employee accounts for exposed username and password combinations and PII to identify accounts at risk and mitigate unauthorized access. Enzoic is a profitable, privately held company in Colorado. Learn more about Enzoic here and connect on Twitter and LinkedIn.


For more information:
Claire Rowberry, +1 617-785-5571

Release Summary

Passwordless authentication failing to gain traction; only 12% of organizations rely on this approach.

Social Media Profiles


For more information:
Claire Rowberry, +1 617-785-5571