Use SSO, don't use SSO. Have MFA, don't have MFA. An analysis of a snapshot of organizations using Push Security's platform finds that 99% of accounts susceptible to phishing attacks.
With organizations adopting cloud services, mobile devices, and other digital technologies to meet customer needs and to support an increasingly remote workforce, identity is the security perimeter. Identity is where organizations authenticate, authorize, and manage users, applications, and devices. This requires organizations to invest in identity technologies such as single sign-on, multifactor authentication, continuous monitoring, and identity access management.
Currently, there are a lot of gaps that leave organizations vulnerable to identity-based attacks such as credential stuffing, brute-force, and phishing.
In an analysis of 300,000 accounts and associated login methods, Push Security's research team calculated the average employee in an average organization has 15 identities. A little over a third (37%) of identities used password-based logins with no MFA enabled, according to Push Security data.
According to the analysis, 61% of accounts relied only on single sign-on, and 29% had only passwords, and 10% of identities allowed both single sign-on and a password. Almost two-thirds (63%) of accounts -- regardless of whether single sign-on was available or not -- used some form of MFA. Almost all of them relied on what Push Security deemed "phishable MFA," which refers to methods vulnerable to bypass attacks such as MFA fatigue or advanced attacker-in-the-middle phishing toolkits. Less than 1% of accounts using single sign-on methods used "phishing-resistant MFA," according to Push Security.
For accounts that had only a password, 80% did not have MFA enabled, while 40% of accounts that had both SSO login and a password lacked MFA.
The problem with accounts having both SSO and passwords is that it opens the door to ghost logins, or situations where an account has multiple login methods. In this case, despite having single sign-on, these accounts could potentially be compromised if the attacker figures out the password via credential stuffing or brute-force attacks.
Even in cases where SSO is used, there is a password login to the identity provider at the beginning of the flow. A look at the identity provider account shows that 17% does not have MFA enabled, and 10% reused passwords. If this password is somehow compromised -- perhaps by credential stuffing or phishing -- the accounts with SSO logins are also compromised.
Another thing about MFA: identity provider accounts are among the "most critical accounts that a user can have," Push Security noted, but 20% are missing MFA.