MFA adoption peaks despite lower remote access authentications

Duo Push, which uses app-based authentication, emerged as a strong authentication method as 91.5% of accounts enabled Duo Push as one of the authentication factors, accounting for over 3.2 billion authentications (21%). Duo push was preferred over legacy authentication methods such as SMS and phone calls (at 4.9% in 2023).

“I think it’s the pivot of people realizing that SMS-based authentication is easily compromised, and there’s a huge push by attackers to compromise SIM cards and be able to spoof those numbers and then, by virtue, be able to intercept SMS,” Lewis added.

Authentication failure and lacking policies raise concerns

Five percent of all measured authentications failed, with 28% of failures attributed to users not being enrolled in the system. This presents a very risky area opening up the scope for attackers to gain unauthorized access to sensitive data or critical systems, leading to data breaches, according to the report.

It was also observed that 96.4% of organizations have no policy related to location (allow, deny, or require 2FA), opening their networks to attacks through unauthorized cross-geography access.

“Fundamentally, 96% of organizations overall don’t have any geographical based blocking whatsoever, meaning they have attackers from all of the planet,” Lewis added. “Geo-blocking has limited utility, but it does reduce a lot of the noise for many organizations.”

Despite heavy adoption, MFA was found to have lighter organization-wide deployments, which can lead to credential compromises, rendering the partial adoption counterproductive. The average company had 40.26% of accounts with either no MFA or a weak MFA 2.