2024 REFLECTIONS & 2025 OUTLOOK

Securing Authentication: Lessons Learned from 2024’s Cybersecurity Landscape

In 2024, the cybersecurity community has seen some stark reminders of how vulnerabilities in authentication and human behavior continue to be at the heart of security breaches. This year’s data underscores the critical need for organizations to not just rethink how they approach identity and access management, but execute on it. Let’s delve into our key observations and explore actionable takeaways to strengthen authentication security in 2025.

2024 Observations

1 | Considering the Human Element

The 17th Annual Data Breach Investigations Report (DBIR) by Verizon highlighted that 68% of breaches involved the non-malicious human element, including incidents driven by insider errors or social engineering. A separate ProofPoint survey revealed that:

• 71% of users admitted to taking risky actions online.
• Of those, 96% knew the risks but proceeded anyway, citing convenience (44%) and time savings (39%) as their primary motivators.

These statistics underscore the human tendency to prioritize efficiency over security. The implications are significant: human error and intentional risky behaviors remain the dominant root causes of breaches.

2 | Authentication is a Common Avenue for Attackers

Authentication remains a key target for cybercriminals, Verizon’s DBIR study also revealed:

• Stolen credentials were the most common initial action in 24% of breaches.
• Phishing accounted for 14% of breaches involving credentials, with the median time for users to fall for phishing emails being less than 60 seconds.

These findings highlight how attackers continue to exploit weak authentication mechanisms and human susceptibility to phishing—a combination that is alarmingly effective.

3 | AI-Based Attacks Are Hard for Users to Detect

The rise of generative AI has amplified the challenge of distinguishing between human-crafted and AI-generated phishing attempts. The days of tall tales based on Nigerian Princes and emails overflowing with grammatical errors are fading fast. A 2021 experiment by Singapore’s Government Technology Agency revealed that:

• AI-generated spear-phishing emails were more successful than human-written ones in tricking users.

With generative AI becoming widely available in 2022, bad actors are leveraging these tools to craft increasingly convincing attacks. As these technologies evolve and bad actors hone their skills, phishing will only get harder for humans to detect, posing a growing threat to authentication security.

Key Takeaways for Strengthening Authentication Security

Takeaway 1: Start with the Basics

Make sure authentication security isn’t the weakest link in your organization’s cybersecurity ecosystem. If your organization runs on passwords – this is a well established place to start. Passwords are not secure since they can be guessed, shared, or stolen by phishing or social engineering. With passwords are the easiest credentials to exploit, and with credentials being a popular penetration point for attackers, organizations can protect themselves against a large swath of attacks just by changing how users authenticate.

If your organization uses passwords, consider strengthening them with:

• Multi-Factor Authentication (MFA)
  • One-time Password (OTP) tokens can be added as a second factor to passwords
    • Learn more about OTP tokens here: https://ftsafe.us/product-category/one-time-password/
  • FIDO-based Authentication
    • Learn more about FIDO keys here: https://ftsafe.us/product-category/fido-security-keys/
• Go Passwordless
  • FIDO-based authentication can be used as a second factor on top of passwords, it can also replace passwords as a multi-factor authentication method in itself.
    • Learn about FEITIAN’s hardware-bound passkeys here: https://ftsafe.us/product-category/fido-security-keys/

These measures provide an immediate upgrade to the security posture and significantly reduce the risk of credential-based breaches.

Takeaway 2: Make Secure Authentication the Default Choice

Since the burden on users to make the right choices each and every time they view their inboxes, open emails, answer the phone, and tackle support/other request tickets, organizations need to help users develop healthy habits. There are a variety of approaches to this that can be used individually or in combination, position safe security and authentication behavior as:

• Default: through modern, repeated, engaging training with curriculums that evolve with the landscape
• A Top-down Responsibility: by garnering management support and engaging other team-member focused departments (outside IT and security), such as Human Resources and Corporate Communications programs can be put in place to elevate the importance of making safe authentication decisions.
• Positive Reinforcement: It’s well documented that people naturally respond to positive reinforcement. By putting programs in place that track and reward good behavior. A worthy incentive can tip the scale by changing people’s thought processes when they get to that critical moment when they decide whether to take the convenient/risky route vs the secure route. “I will keep my corporate gym membership IF I enroll my corporate FIDO key with this new tool/app my team was just approved to buy/use.
• Make Safe Authentication the Easy Choice: whether your organization leverages modern MFA or FIDO by FEITIAN, make an effort to reduce user friction. This can be done through:
  • a white-glove roll-out that gives users good first impression of MFA/FIDO
  • self-serve user training, such as short how-to videos that enable users to quickly solve their questions
  • training for new team members to ensure they get up and running fast and easy when they join the team

When users prefer secure options whether through convenience and positive reinforcement, they are far less likely to bypass them for risky shortcuts – and they are more likely to develop good habits that build positive momentum over time.

Takeaway 3: Plan for the Long Term

The cybersecurity landscape is constantly evolving, and so should your authentication strategy. Develop a long-term plan:

• Maybe your organization isn’t ready to deploy FIDO right away, that’s fine – but it’s worth investigating FIDO and if it’s right for your organization, put a plan in place to make it happen.
• Take a long-term approach to ease your daily burden today and tomorrow. Keeping up with security technology and threats over time, assessing your organizations user, apps, IT infrastructure and constraints, and constantly building on your existing foundation to adapt to changes incrementally is much easier than running a catch-up fire-drill every couple years (or every time a breach hits the news).

Staying ahead requires proactive planning, ongoing investment, and a commitment to agility in your security approach.

Stepping into 2025

The 2024 cybersecurity landscape has reinforced that authentication security is not just a technical challenge but a human one as well. By adopting modern MFA solutions, designing user-friendly secure paths, and staying ahead of emerging threats with a forward-looking strategy, organizations can build a robust defense against evolving threats. The time to act is now—the future of your organization’s security depends on it.

Reach out to us for a free consultation with one of our security experts to explore how FEITIAN can support your authentication security journey at sales@ftsafe.us