Yubico's 2019 report highlights difficulties people have in managing their password security

Johannesburg, 16 May 2019
Read time 4min 00sec

Yubico, the leading provider of hardware authentication security keys, today announced the results of the company's 2019 State of Password and Authentication Security Behaviors Report, conducted by the Ponemon Institute. The institute surveyed 1 761 IT and IT security practitioners in the United States, United Kingdom, Germany and France.

The purpose of this study is to understand the beliefs and behaviours regarding password management and authentication practices for individuals both in the workplace and at home. The goal was to understand if these beliefs and behaviours align, and why or why not. The conclusion is that despite the increasing concern regarding privacy and protection online and a greater understanding of the best security practices, individuals and businesses are still falling short. Both parties are in dire need of solutions that will offer added security and convenience.

"For decades, passwords have been the primary method of authentication used to protect data and accounts from unauthorised access. However, this multi-country research illustrates the difficulties associated with proper password hygiene," said Stina Ehrensvard, the CEO and founder of Yubico. "With every new password breach that we see, it's become increasingly clear that new security approaches are needed to help individuals manage and protect their accounts both personally and professionally."

Key findings from this research include:

* Sixty-three percent of respondents say they have become more concerned about the privacy and security of their personal data over the past two years. Respondents reported being most concerned with their social security number or ID number, their payment account details and their health information. The reasons respondents reported being more concerned about their privacy were government surveillance (59%) and the growing use of mobile devices (51%) and connected devices (40%).

* Almost half of respondents (47%) say their companies are most concerned about protecting customer information and 45% of respondents say they are most concerned about protecting employee information.

* As cyber attacks become more prevalent, vulnerabilities created by poor password and authentication practices lead to attacks such as phishing. More than half of respondents (51%) say they have experienced a phishing attack in their personal life, while 44% of respondents have experienced a phishing attack at work. However, while phishing attacks are occurring on a frequent basis, 57% of respondents who have experienced a phishing attack have not changed their password behaviour.

* Approximately two out of three respondents (69%) admit to sharing passwords with their colleagues in the workplace to access accounts, and more than half of respondents (51%) reuse an average of five passwords across their business and/or personal accounts. Furthermore, added protection beyond a username and password, in the form of two-factor authentication, is not widely used. Sixty-seven percent of respondents do not use any form of two-factor authentication in their personal life and 55% of respondents do not use it at work.

* It is increasingly clear that new security approaches are needed to help individuals manage and protect their passwords both personally and professionally. On average, respondents report having to spend an average of 12.6 minutes each week or 10.9 hours per year entering and/or resetting passwords. Based on the average headcount in this research of almost 15 000, we estimate the annual cost of productivity and labour loss per company averages $5.2 million annually.

* Because managing passwords is inconvenient and cumbersome, 57% of respondents expressed a preference for passwordless logins that protect their identity. Fifty-six percent of respondents believe that a physical hardware token offers better security.

Full survey results and methodology

Beyond the above listed highlights, the full 2019 State of Password and Authentication Security Behaviours Report delivers further statistics based on the following themes.

* How privacy and security concerns affect personal password practices;
* Risky password practices in the workplace;
* Authentication and account security in organisations;
* Differences in password practices and authentication security behaviours by age; and
* Differences in password practices and authentication security behaviours by country.

Data for this survey was collected by the Ponemon Institute on behalf of Yubico. The institute was responsible for data collected, data analysis and reporting. Ponemon Institute and Yubico collaborated on the survey questionnaire. All survey responses were captured from 20 August to 4 September 2018.

To download the complete report and associated infographic, visit yubico.com/authentication-report. For more information on Yubico, visit www.yubico.com.


Yubico sets new global standards for simple and secure access to computers, mobile devices, servers and Internet accounts.

The company's core invention, the YubiKey, delivers strong hardware protection, with a simple touch, across any number of IT systems and online services. The YubiHSM, Yubico's ultra-portable hardware security module, protects sensitive data stored in servers.

Yubico is a leading contributor to both the FIDO2, WebAuthn and FIDO Universal 2nd Factor open authentication standards, and the company's technology is deployed and loved by nine of the top 10 Internet brands and by millions of users in 160 countries.

Founded in 2007, Yubico is privately held, with offices in Sweden, the UK, Germany, the USA, Australia and Singapore.

Private Protocol

Private Protocol is a data security distributor offering solutions and strategies that cover mobile device and data security, secure data collaboration, secure messaging, SharePoint/O365 security and compliance, AWS security, data classification and data discovery, file share security and compliance, software defined perimeter, zero trust security, total fraud protection and cloud security.

Private Protocol also offers cloud risk assessments so companies can understand the effect that cloud is having on their business and highlight any risks that may be associated. Private Protocol has a distributed partner channel covering Africa and Indian Ocean Islands.

Private Protocol
Contact: (+27) 10 100 37288
Website: www.privateprotocol.com

Editorial contacts
Private Protocol Sales sales@privateprotocol.com
Have your say
Facebook icon
Youtube play icon