Online phishing scams are becoming more frequent and more sophisticated, according to the Online Authentication Barometer, published by the FIDO Alliance on October 16, 2023.
When asked about phishing attacks, over half (54%) of respondents to the FIDO Alliance survey said they have seen an increase in suspicious messages and scams. Meanwhile, 52% believe phishing techniques have become more sophisticated, likely due to threat actors leveraging AI to create phishing schemes and deploy phishing campaigns.
“Tools like FraudGPT and WormGPT, which have been created and shared on the dark web explicitly for use in cybercrime, have made crafting compelling social engineering attacks far simpler, more sophisticated, and easier to do at scale. Deepfake voice and video are also being used to bolster social engineering attacks, tricking people into thinking they are talking to a known trusted person,” reads the report.
Passwords Still Dominant Across Use Cases
The FIDO Alliance found that password usage without two-factor authentication (2FA) is still dominant across use cases.
The survey showed that people enter a password manually nearly four times a day on average, or around 1280 times a year.
Vulnerable passwords are particularly used to log on to a work computer or account, with 37% of respondents using this method instead of multi-factor authentication (MFA).
Andrew Shikiar, executive director and CMO at FIDO Alliance, commented: “Phishing is still by far the most used and effective cyberattack technique, which means passwords are vulnerable regardless of their complexity. With highly accessible generative AI tools now offering bad actors the means to make more convincing and scalable attacks, it’s imperative consumers and service providers listen to consumers and start to look at non-phishable and frictionless solutions […], rather than iterating on ultimately flawed legacy authentication like passwords and one-time passwords (OTPs).”
The negative impact caused by legacy user authentication was also revealed to be getting worse. Nearly six in ten people (59%) have given up accessing an online service and 43% have abandoned a purchase in the last 60 days, with the frequency of these instances rising year on year to nearly four times per month, per person, up by around 15% on last year.
Biometrics Tops MFA Options, Passkeys Use Is Growing
When given the option, users are willing to adopt some of the “non-phishable and frictionless solutions” Shikiar said.
Biometrics ranks as the top MFA solution as it is both the preferred method for consumers to log in and what they believe is the most secure.
Speaking with Infosecurity, Roger Grimes, a data-driven defense evangelist at cybersecurity awareness company KnowBe4, praised the shift from password to MFA solutions.
However, he warned that “not all MFA, and especially not all biometrics solutions, are resistant to phishing techniques. That’s why cybersecurity organizations should promote the use of phishing-resistant MFA, such as FIDO-enabled MFA methods.”
The survey showed that one of these FIDO-enabled methods, passkeys, has grown in consumer awareness, rising from 39% in 2022 to 52% today.
Its use has been publicly backed by many big players in the industry, such as Google, Apple and PayPal.
Research for the FIDO Alliance’s Online Authentication Barometer was conducted by Sapio Research among 10,010 consumers across the UK, France, Germany, the US, Australia, Singapore, Japan, South Korea, India and China.
What Is the FIDO Alliance?
The Fast IDentity Online (FIDO) Alliance is a non-profit organization created in 2013. It has been responsible for developing and maintaining FIDO standards, a set of open, standardized and authentication protocols.
FIDO authentication is based on public key cryptography, which is more secure than password-based authentication and is more resistant to phishing and other attacks.
FIDO authentication is supported by a wide range of web browsers, operating systems, and devices. This makes it easy for users to adopt FIDO authentication without changing their hardware or software.
The latest FIDO protocol, FIDO2, was jointly developed by the FIDO Alliance and the World Wide Web Consortium (W3C).
“The FIDO Alliance is doing an amazing job at maintaining these authentication standards, and offers a FIDO certification,” said Grimes, who maintains a list of phishing-resistant MFA options.