A majority of IT and security professionals responding to a HYPR and Cybersecurity Insiders study said they did not improve authentication controls following an attack. Pictured: An employee uses a laptop computer during a demonstration of the shared PC with face-recognition technology, eliminating the need to input a password at the NEC Corporation headquarters on July 13, 2020, in Tokyo. (Photo by Tomohiro Ohsumi/Getty Images for NEC Corporation)

A report released Tuesday by HYPR and Cybersecurity Insiders found that even with ongoing industry efforts to embrace zero-trust, many organizations are still highly exposed to credential attacks because of insufficient multi-factor authentication (MFA) and overall lack of urgency about the seriousness of the threat landscape.

The study, based on responses from more than 400 security and IT professionals, found that despite an increased number of breaches — some 89% say they experienced a phishing attack against their organization in 2021 and 34% sustained a credential stuffing attack — 64% of those hacked did not enhance or improve their password-based authentication controls following the attack.

Additionally, 65% of those who claim to run a passwordless system continue to employ methods based in shared secrets, such as SMS or one-time password (OTP).

“Traditional MFA is failing,” said Bojan Simic, co-founder, CEO and CTO of HYPR. “It provides a terrible user experience while adding minimal security on top of the password. It’s too easy for hackers to bypass phishable MFA factors such as OTP codes or SMS using automated hacking tools, or to compromise MFA solutions by creating ‘push fatigue.’ Organizations must move to phishing-resistant MFA that eliminates the password and minimizes the attack surface vulnerable to credential attacks.”

Attackers are looking for high-valued credentials and those are privileged accounts that let the attackers access everything and go anywhere within the network, said Joseph Carson, chief security scientist and advisory CISO at Delinea. Carson said with privileged access, attackers can cause serious damage, steal any data, hide their tracks, and sell them for a higher value to other cybercriminals who will abuse them.

“When employees are left to be responsible for creating passwords and tend to reuse existing passwords or select similar passwords, then credential stuffing will continue to succeed,” Carson said. “Organizations can help reduce the risks of credential attacks by moving passwords into the background and rewarding employees with a password manager or privileged access management solution that will help automate passwords. At the same time, it will help to reduce cyber fatigue.”

Garret Grajek, CEO at YouAttest, added that the security industry applauds the efforts of the MFA companies to increase the ease-of-use of MFA, be it biometrics or other means. 

“But one must remember, the hackers don't just stop at the auth process,” Grajek said. “Authentication form hacking, cross site scripting (XSS) session stealing, man-in-the-middle (MitM), browser-in-the-middle (BitM) are all ways to attack identity sessions regardless how the user authenticates. That’s why authentication is a piece — an importance piece of zero trust — but it’s not the end-all, be-all. Enterprises still must assume the session that carries the identity of the user might be erroneous and continue the chain of authentication/authorization in each node of the session from authentication to resource obtainment.”