Less than half of businesses using 1st generation Multi-Factor Authentication (MFA) do so because they believe it to be the most secure option available, new research from IDEE has revealed.

The cybersecurity firm commissioned an independent survey of more than 500 IT and cybersecurity professionals within UK businesses. It found that 95% of UK businesses use 1st gen MFA solutions in some form, but just 40% of those said they used it because it was deemed to be the most secure cyber security solution for their IT systems and data.

1st generation MFA includes MFA that relies on codes(sent via SMS, generated in an app, or generated on a hardware dongle), push notifications and QR code.

A third (32%) of 1st gen MFA users said they opted for that solution because it seems to be the most popular or common cybersecurity method at present.

IDEE’s research revealed other common factors that contributed to MFA buy-in, with 35% saying they implemented MFA to satisfy compliance or regulatory demand, while 31% stated it was required for their business or cyber insurance.

The survey also found that 27% use 1st gen MFA simply because it came as standard from their IT providers (such as Google or Microsoft), and 22% chose it because they believed it was cheaper than other solutions.

Al Lakhani, CEO of IDEE, said: “It’s alarming that businesses which are breached, deploy 1st generation MFA, continue to be breached, and the rest of the industry just copies it. As Einstein once said, ‘insanity means doing the same thing over and over again and expecting different results’.

“Over the past decade, IT departments have been led to believe that 1st gen MFA is the go-to cybersecurity solution for businesses globally thanks to misleading headlines from well-meaning companies – such as Microsoft – stating that MFA prevents 99% of all breaches. This is categorically false.

“The fact is that 1st gen MFA fails to protect businesses against common forms of cyber attack, such as prompt bombing, credential phishing and Man-in-the-Middle (MitM) attacks. For me, this data smacks of herd mentality – IT and cyber leaders are investing in MFA because it feels like the safe, blameless option, rather than properly scrutinising how well it stops the most common attacks.

“The entire industry needs to wake up. 1st gen MFA must be resigned to the dustbin of history. It’s time for businesses to shift their focus from blindly following the crowd to critically evaluating and implementing more robust security measures built on transitive trust and bulletproof identity proofing. Using this approach is necessary to achieve the Holy Grail of preventing account takeover.”