Startling Factoids from Auth0’s 2022 Report

I read a lot of vendor reports. In general, most are fairly boring. Most only collected answers to survey questions selected by admin/users, which I don’t find to be the most helpful data. Admins and user answers to survey questions often don’t map to what the real-world data is showing. I don’t know if it’s just a problem with basic human memory and reporting mistakes or, what I think is more likely, question and answer biases that end up generating answers favorable to the vendor paying for the survey. I like computer security reports with data collected from real-world customers in real-world scenarios. To me, that’s the data that means the most (even if there is still vendor bias in what is collected and reported). At least the report is relying on collected real-world data versus user self-reporting.

I found Auth0’s 2022 State of the Secure Identity Report (https://auth0.com/resources/whitepapers/2022-state-of-secure-identity-report ) to be one of the best I’ve read in a long time. That it concentrates on authentication, a favorite topic of mine, is all the better. Here are some stats that blew me away:

In 1Q 2022, Auth0 collected data showing:

• Scammers tried almost 300M times to create fraudulent accounts (fraudulent registration) and are fraudulent registration attempts are 23% of all attempted sign-ups on Auth0’s platform
• Credential stuffing attacks are 34% of overall traffic/authentication events on Auth0’s platform, with almost 10B detected by Auth0 in first quarter 2022
• Credential Stuffing attacks regularly created excessive logon traffic 5-10 times the targeted customer’s normal logon traffic (defenders can monitor and detect abnormal levels)
• 113M attacks against MFA
• Auth0 sees an average of 50K password attacks a day, mostly due to password re-use
• 58% of customers suffered at least 1 breach due to password compromise

These are some large numbers and percentages. Most of the attack stats they reported were trending worse this year than last. To be clear, this is just what one company, albeit, a leader in cybersecurity authentication, detected in 90 days in 2022. The real numbers are far bigger.

I encourage readers to download the larger report (https://auth0.com/resources/whitepapers/2022-state-of-secure-identity-report) and read it. Lots of good information. Lots of good suggested defenses.