Monthly Archives: December 2021

The state of workforce passwordless authentication

Enterprises continue to feel threatened in the pandemic with many feeling targeted, and this along with remote work and associated loss of productivity from password problems is driving increased adoption of passwordless technologies. Going forward organizations are extremely bullish on adopting passwordless authentication.

The purpose of this research is to understand the state of workforce passwordless authentication, the motivations and results when organizations transition to the use of passwordless authentication. Based on the experiences of organizations represented in this research, passwordless authentication can help remediate many concerns around cybersecurity posture caused by password and traditional MFA authentication approaches, sustained cyber threats and pandemic shifts to greater remote work.

Organizations that have adopted passwordless authentication say the main motivation was to improve the end-user experience and operational efficiency. The growing remote workforce also influenced these organizations’ decision to adopt passwordless authentication.

A key takeaway regarding economic efficiencies is that the use of passwordless authentication can reduce the financial consequences of attacks involving employees’ passwords and help desk costs due to password problems or resets by an average of $1,871,780 over a two-year period.

With sponsorship from Secret Double Octopus, Ponemon Institute surveyed 663 IT and IT security professionals in the United States. All respondents are familiar with their organizations’ approach to employee authentication and have some level of involvement in managing and making decisions about their organizations’ IT security strategy.

The following findings reveal the state of workforce passwordless authentication, its drivers and benefits: 

  • Phishing attacks are pervasive. Phishing is the number one password-based attack according to 63 percent of respondents. An average of only 44 percent of all phishing emails are detected. 
  • The shift to a remote workforce during the pandemic is driving the adoption of passwordless authentication. Fifty-five percent of respondents say their organizations use passwordless authentication for at least some use cases. Of these 55 percent of respondents, 79 percent say a growing remote workforce influenced passwordless adoption. 
  • Remote working negatively affects employees’ and help desk productivity. Another reason to adopt passwordless authentication is that 75 percent of respondents say password authentication issues because of remote working has increased employee downtime. Seventy-four percent of respondents say it has decreased the productivity and increased the stress of the help desk team. 
  • Organizations stand to save significant costs in both breach-related financial expenses and productivity with passwordless authentication. 
  • Adoption of passwordless authentication is gaining traction. Forty-five percent of respondents say their organizations exclusively use conventional passwords. However, of these respondents, 66 percent of respondents expect to adopt passwordless authentication in the next six months (33 percent), within the next year (21 percent) and within the next two years (12 percent).

Part 2. Key Findings

 In this section, we provide a deeper analysis of the research findings. The complete audited findings are presented in the Appendix of this report. The findings are organized according to the following topics.

  • Concern and vulnerability run high with respect to password-related cyber threats
  • Remote work shifts are driving passwordless authentication adoption amidst security and productivity challenges
  • Passwordless authentication cost savings totaled an average of $1.9M over 2 years per organization
  • Opportunity and optimism remain high around passwordless authentication

Concern and Vulnerability Run High with Respect to Password-related Cyber Threats

The most prevalent password-based attacks are phishing. Some 63 percent of respondents say their organizations had attempted or successful phishing attacks in the past two years.  However, according to the research, cybersecurity teams can detect an average of only 44 percent of phishing emails. Seventy-one percent of respondents say phishing emails and employees’ misuse of passwords is increasing the risk of a targeted and successful attack.

 Organizations also experienced ransomware (57 percent of respondents) and credential stuffing or dictionary attacks (57 percent of respondents).

Remote Work Shifts Are Driving Passwordless Authentication Adoption Amidst Security and Productivity Challenges

 The remote workforce is decreasing organizations’ security posture.  According to 60 percent of respondents, a remote workforce reduces the security of the cloud infrastructure, makes connections to the domain less secure (56 percent) and increases the attack surface (49 percent).

The help desk is not immune from password authentication problems created by remote working. Some 74 percent of respondents say productivity has decreased and increased stress significantly (40 percent) or decreased productivity and increased stress (34 percent) of help desk workers.

 Passwordless Authentication cost savings totaled an Average of $1.9M Over Two Years

 Passwordless authentication significantly reduces the economic loss due to attacks involving employees’ passwords. Organizations with conventional authentication methods averaged $5.6 million in total economic loss from attacks involving employees’ passwords over the past two years vs. $4.2 million in organizations with passwordless authentication. Respondents were asked to include IT costs, downtime, lost business, damaged reputation, fines and legal fees, stolen proprietary data and ransoms paid in the total cost.

Opportunity and Optimism Remain High around Passwordless Authentication

In this section, only organizations that have adopted passwordless authentication are represented. In the context of this research, authentication is defined as the process of verifying the user’s identity by asking for a secret (e.g., password) possession of an item (e.g., USB dongle) or inherent attribute (biometrics). Passwordless authentication is any authentication method that does not require users to know their password.

Most organizations are still dependent upon traditional passwords at some level. However, 55 percent of respondents say their organizations use passwordless authentication for most or all use cases (11 percent), some use cases (19 percent) or only for specific use cases (25 percent).

Almost half of respondents rate the user experience and security of passwordless authentication far higher than conventional passwords. Respondents were asked to rate the quality of the user experience using passwordless authentication and conventional passwords on a scale from 1 = low quality to 10 = high quality. They also rated the security from 1 = low security to 10 = high security. Figure 15 shows the 7+ responses on the 10-point scale.

We found that 47 percent of respondents rate the quality of the user’s experience with passwordless authentication as high. However, only 26 percent of respondents rate the quality of conventional passwords as high.

To read the rest of this study and view the accompanying charts, visit

Facebook accused of enabling fraud, claims ‘immunity’ in court filing

Bob Sullivan

When we talk about Facebook’s bad behavior, it’s easy to get bogged down in the details. Don’t. We should focus more on the outright fraud enabled by its platforms.

There’s been near constant talk about Facebook’s misbehavior lately, reaching a new crescendo after whistleblower Frances Haugen told Congress the firm knowingly makes software that hurts kids.  But as Haugen herself pointed out this week, regulators risk talking themselves into circles as they get bogged down in the details about how to react to Facebook’s various transgressions.  Debate on Section 230 could easily last into the next century, I think. And Facebook’s role in the 2016 election? Well, that’s destined to fill up talk radio show hours with never-ending prattle.

That’s why I wish there were much more focus on the outright fraud that Facebook enables. The case there is much more clear, as a the pillowcase-couch above suggests.

Facebook’s advertising platform got some of the attention it deserves this week after a story by Donie O’Sullivan at CNN showed the social media giant has taken payment for anti-vaxx ads, including a set that compared the U.S. vaccine program to the Holocaust. Facebook has publicly taken the stance that it has not contributed to anti-vaccine sentiment in the U.S., but anti-vaxxers have contributed to Facebook’s bottom line, the report found. Unsavory? Sure. Illegal? Probably not.

Look deeper into Facebook ads, and you’ll find far more dubious activity.  Earlier this year, I reported on a lawsuit filed in California that alleges Facebook has earned billions of dollars from advertisements it knows, or should know, are fraudulent. The social media giant makes it easy for criminals to target consumers who are not only likely to click on certain kinds of ads, but also likely to follow through with purchases, the case claims.  The firm is “actively soliciting, encouraging, and assisting scammers,” the suit claims.

Many of these highly-targeted ads on Facebook and Instagram promise consumers great deals on novelty products that seem specifically-tailored for them. Instead, credit card payments go to firms — many based in China — that never send the item or send something worth only pennies.  Criminals are using Facebook’s algorithms to micro-target victims, or as I like to say, to hack people. And steal their money.

The lawsuit seeks class-action status, and contains only allegations. But a Better Business Bureau report published this week by Steve Baker ads to the evidence that Facebook’s empire is built with the help of fraud, much of it originating in China.

BBB solicits complaints from Internet users through its Scam Tracker, and said on Thursday that the largest target of these complaints — 40% of the total – involve victims of online ads found on Instagram and Facebook.  While deceptive ads theoretically violate Facebook’s terms of service, the firm doesn’t seem to care much.

“Consumers tell BBB that Facebook and Instagram are often not helpful in addressing violations
of their own policies when consumers receive nothing at all, counterfeit goods, or items that were inferior to what was advertised and purchased,” BBB wrote. “These encounters often take place after seeing enticing social media ads placed by operations in China.”

Many of the crimes are blatant and obnoxious. A Canadian anti-fraud official told the BBB that he
has seen “accounts of people buying a cordless drill online but only receiving a screwdriver from China.”

The accusations in the lawsuit, and the BBB report, are not new. Buzzfeed News reported one year ago that internal Facebook research found 30% of ads placed in China violate the site’s terms of service.  The story also quotes a Facebook employee saying the company intentionally looks the other way, fearful that a crackdown might slow the flow of dollars from China.

Facebook told Buzzfeed for that story that it invests heavily in keeping deceptive and low quality ads off its site — given the scale of its ad business, that is no doubt true. But it also seems obvious the firm still isn’t investing nearly enough to fight fraud.  Last month I wrote about a disturbing example of criminals forcing victims to make “hostage-style” videos endorsing scams in a desperate attempt to regain control of their social media accounts. If Facebook hired enough people to assist consumers who were in trouble, there’d be no such desperation.

Another key piece of the puzzle revealed by the BBB study: Facebook and Instagram play a key role in connecting scammers to victims who weren’t even shopping online. BBB found that victims
who were not actively looking for a product, but lost money in the transaction, began with Facebook or
Instagram 70% of the time.

And all this fraud causes collateral damage, too. Many small businesses see their photos and product descriptions copied by criminals and used for deceptive ads.  Often, consumers blame the small businesses when they discover the crime. One art dealer in Dallas says he’s spent hours per week fighting this kind of copyright theft, and Facebook was quite unhelpful.

“Facebook will not take down these obviously related ads, but instead forces him to challenge the
ads one at a time,” the report says.

And victim consumers who report fraud in an effort to prevent future crimes told BBB they often don’t get results. One purchased a table based on a clever video that popped up on his Facebook feed. When he received nothing, said he contacted Facebook dozens of times about this fraud, and “they responded that the video did not violate their policies. The ad remained running for several months,” the BBB report says.

Fraud trend stories like this are always tricky: For years, credit card processors would respond to every story about online fraud by saying the actual fraud rate at e-commerce sites was very small, far less than one percent. That was cold comfort to victims, and it was also hard for external observers and policy-makers to evaluate. How much fraud is too much? At what rate should additional safeguards — safeguards that would add friction and probably impact revenue — be required?   Has fraud on Facebook reached that point? I cannot say. I can say the  Department of Homeland Security has warned that “e-commerce business models have a variety of new actors that aid, abet, or assist the transactions, including payment processors, social media websites, and online marketplaces.”

And I can say that Facebook simply doesn’t answer the phone when there’s an ongoing crime on its platform. Their online process for dealing with a serious consumer problem, such as an account takeover or a fraudulent ad, is severely lacking. Users should be able to get immediate help with issues like that. You’ll often hear defenders of the firm say that kind of support doesn’t scale. To that, I’d say that means their business doesn’t scale. If they can’t operate without enabling fraud, and can’t quickly help victims, their business model is fatally flawed.

The BBB tells me that Facebook did not take the opportunity to respond to its report. Facebook did not respond to my request for comment, either.  It did respond to the California lawsuit, however. With this straightforward defense: We are immune!

“The Court should dismiss all of Plaintiffs’ claims with prejudice because the Communications Decency Act, 47 U.S.C. § 230 (“Section 230”), shields interactive computer service providers such as Facebook from liability arising from content created by third parties,” the motion for dismissal says. “Plaintiffs have not—and could not—allege any facts that take their claims outside a plain and straightforward application of that statutory immunity.”

Section 230 reform is a multi-tentacled beast and my own opinions on what to do about it are still evolving. But I interviewed a law professor recently who told me that blanket immunity always causes problems, and this example makes it pretty clear.  Facebook is saying it’s not responsible for fraud it enables by matching criminals with victims because it has been granted immunity by Congress. That kind of license for bad behavior sounds chilling to me.  And the next time a Facebook spokesperson says the firm cares about fraud, remember that this defense.