The 2020 State of Password and Authentication Security Behaviors Report

Cyber threats and attacks on individual users and organizations have not diminished. Phishing scams, stolen credentials, and account takeovers continue to rise, making it imperative for businesses to have policies and practices in place to reduce the risks created by poor password and authentication behaviors. What is perhaps more important is that the security policies and practices being deployed by businesses align with the preferences and behaviors of employees and customers (hereafter referred to as individual users). Without user adoption, businesses will remain vulnerable to cyber threats.

Ponemon Institute presents the results of The 2020 State of Password and Authentication Security Behaviors Report, sponsored by Yubico. Ponemon Institute surveyed 2,507 IT and IT security practitioners (hereafter referred to as IT security respondents) in the United States, United Kingdom, Germany, France, Sweden and Australia. This year, we also surveyed 563 Individual users to better understand the differences in security behaviors and preferences between IT security practitioners and Individuals.

Contrary to popular belief, IT security professionals— who we’d expect to take the utmost precaution when it comes to security—aren’t much better than the individual users represented in this study. In fact, both groups are engaging in risky practices, including reusing and sharing passwords in the workplace and accessing workplace apps from their personal mobile devices without using two-factor authentication (2FA).

IT security professionals are more concerned about the privacy and security of their personal information than Individuals. As shown in Figure 1, 37 percent of IT security respondents are highly alarmed about possible risks to the security of their personal information. Individuals are more likely to be “only somewhat concerned”. These differences can perhaps be explained by the fact that IT security respondents are in the trenches protecting their organizations from attacks and, therefore, better understand the current threat landscapes.