Yubico Global State of Authentication Report 2025

Keypoints

• Typical report structure: Introduction (scope and context), Executive Summary (headline findings and sample size), The New Cyber Landscape (threat overview, behavior analysis, regional spotlights), Solutions (education, MFA adoption, hardware keys), Conclusion (recommendations), About the organization, and Methodology (survey details and dates).
• Introduction and Executive Summary normally summarize scope, participant demographics, and the central thesis—here highlighting widespread misperceptions about authentication security and emerging AI-enabled threats.
• Survey methodology and sample sizes are usually stated clearly; this report cites a broad international sample across nine countries and provides dates and the surveying organization to establish credibility.
• Major statistics: a substantial share of workers lack basic training—40% report never receiving cybersecurity training and 44% of companies delay policy updates beyond 3–5 months—indicating stale or absent guidance.
• Authentication landscape statistics: 62% of organizations still rely primarily on username/password credentials; 44% use SMS OTPs; 39% use mobile TOTP/push authenticators; 33% report synced passkeys and 33% report device-bound passkeys in some contexts—yet only 17% of companies use device-bound passkeys broadly for their workforce.
• Perception versus reality: SMS is perceived as most secure by 41% of respondents, time-based OTPs by 33%, passwords by 26%, and device-bound passkeys by 30%—misaligned perceptions that increase exposure to phishing and SIM-swapping attacks.
• Personal behavior risks: large overlap of personal and work device use (40–50% depending on measure), 29% of people do not use MFA for personal email, and common personal authentication remains dominated by passwords (60%) and SMS (36%), creating attack pathways into corporate environments.
• AI impact and threat evolution: respondents report rising awareness and concern—76% worried about AI affecting account security (up from 58% in 2024); 78% aware of new AI-enabled scams and 70% believing such attacks are more successful—AI lowers the barrier to craft highly convincing phishing, fake sites, and deepfakes.
• Phishing effectiveness: among those tricked, 34% were deceived because the message appeared to come from a trusted source; AI’s personalization capability exacerbates social engineering success rates.
• Human vs AI content detection: many users struggle to distinguish human-written from AI-generated communications (only ~30–46% correct identification depending on prompt), with younger cohorts better at detection—highlighting the need for technical controls rather than relying solely on user judgment.
• Regional and US spotlight findings: US shows higher device-bound passkey awareness/use (33% of those familiar with passkeys had used hardware passkeys) and higher personal device usage for work (58%); adoption patterns vary globally with India, Australia, and Singapore showing strong passkey/MFA adoption in places.
• Generational trends: Gen Z and Millennials show higher personal MFA adoption (Gen Z ~71%, Millennials ~68%) and greater corporate passkey uptake among Millennials (20%) and Gen Z (19%), suggesting future organic growth in advanced authentication use.
• Barriers to MFA and passkey adoption: lack of familiarity (40%), perceived complexity (24%), time constraints (22%), and perceived cost (9%); 45% of non-passkey users had never heard of them—indicating education and user-experience improvements are primary levers.
• Case for hardware security keys: device-bound passkeys/hardware keys are presented as the “gold standard” for phishing-resistant authentication—requiring possession and user interaction—reducing account takeovers and support costs, yet enterprise deployment remains low (17% usage reported).
• Recurring themes and takeaways: mismatch between confidence and actual protection, inconsistent policies across roles (84% of those in role-differentiated environments still rate security as “secure”), and the urgent need to modernize away from passwords/SMS toward phishing-resistant MFA.
• Actionable recommendations highlighted: prioritize consistent, regular cybersecurity education; mandate and simplify MFA (favor device-bound passkeys where feasible); distribute hardware security keys strategically; remove role-based protection gaps; and monitor AI-driven threat vectors.
• Impact and ROI messaging: successful hardware-key deployments typically yield measurable declines in account incidents, reduced help-desk burden, and stronger user confidence—positioning investment in device-bound passkeys as both security-critical and cost-effective.