Survey Shows Low Passkey Awareness and Overconfidence in Old Auth Methods

Published Date : 10/2/2025 

Yubico's 2025 Global State of Authentication Survey highlights a significant gap between perceived cybersecurity and actual vulnerability. Despite widespread awareness of cyber threats, many users still rely on outdated and insecure authentication methods. 

There is a persistent disconnect between perceived cybersecurity and actual vulnerability. That’s the key finding from Yubico’s 2025 Global State of Authentication Survey. The findings indicate a world still reliant on outdated authentication practices, highlighting the need to align personal and workplace cyber hygiene.

Based on responses from 18,000 employed adults across nine countries — Australia, France, Germany, India, Japan, Singapore, Sweden, the UK, and the U.S. — the data points to a troubling overconfidence in legacy login methods. Yubico expanded its YubiKey as a Service, which offers device-bound passkey solutions, to all countries in the European Union in May.

The company also expanded its line of biometric hardware keys last November. Passkeys use biometrics or a PIN for user authentication. Despite widespread awareness of cyber threats, 26 percent of respondents still consider usernames and passwords the most secure option, and 41 percent trust SMS-based authentication. These are both highly susceptible to attack. These misconceptions drive risky behavior: 60 percent use passwords for personal accounts and 56 percent for work accounts.

Alarmingly, 84 percent of employees who acknowledge role-based security differences within their organization still believe their company’s cybersecurity is adequate; failing to recognize that inconsistent protection creates exploitable gaps. Regional insights reveal stark contrasts in cybersecurity attitudes and adoption. European countries like France and Germany show cautious optimism. France, for example, saw personal MFA usage surge from 29 percent in 2024 to 71 percent in 2025 — a stirring shift toward stronger security.

Yet French users also report the highest reliance on insecure SMS-based MFA among European nations (46 percent personal, 36 percent work). Germany, meanwhile, leads in device discipline, with 58 percent of employees using only company-approved devices, which is well above the global average of 46 percent. However, only 40 percent of German companies deploy MFA across all services, one of the lowest rates surveyed.

In contrast, the U.S. embraces cutting-edge tools but maintains relaxed boundaries. It leads in passkey adoption (18 percent work, 16 percent personal), yet 58 percent of employees use personal devices for work (eight percent above the global average) introducing new attack vectors. U.S. respondents also report the highest rates of password compromise across categories. Asia-Pacific nations, particularly India and Singapore, are emerging as proactive leaders in a high-risk environment. Indian respondents express strong confidence in their cybersecurity posture (77 percent personal, 49 percent corporate), backed by action: India reports the highest corporate MFA adoption (72 percent) and passkey familiarity (47 percent “very familiar”).

This vigilance likely stems from experience. India also reports the highest rates of password compromise in social media (39 percent), retail (19 percent), and banking apps (19 percent). Singapore shows similarly strong performance, with 78 percent personal MFA adoption and 64 percent of employees receiving cybersecurity training.

AI-driven threats are causing alarm, though unevenly across regions. Japan saw the most dramatic increase in apprehension, with concern jumping from 31 percent in 2024 to 74 percent in 2025. Sweden followed with a rise from 37 percent to 68 percent. Western countries started from a higher baseline: the UK rose from 61 percent to 81 percent, and the U.S. from 61 percent to 77 percent. While awareness is growing globally, the pace of concern is accelerating in regions previously less alarmed.

Interestingly, this concern doesn’t always translate into AI literacy. When shown sample emails — one written by an AI and one by a human — only 44 percent of French and 47 percent of German respondents correctly identified the AI-generated message, compared to 43 percent in the U.S. and 45 percent in the UK. This may suggest greater sensitivity to AI nuances in continental Europe.

A universal challenge remains: passkey education. Despite their security advantages, passkeys are still poorly understood. Globally, 45 percent of non-users say they’ve never heard of them. In France, 65 percent of respondents are unfamiliar with passkeys, and 44 percent have never used one. This isn’t a matter of technical complexity, it’s a gap in awareness. Organizations must prioritize education to accelerate adoption of phishing-resistant authentication.

Encouragingly, belief in secure methods is shifting. In the UK, confidence in hardware security keys and passkeys rose from 17 percent in 2024 to 37 percent in 2025. The U.S. saw similar growth, from 18 percent to 34 percent. Familiarity is rising too: 35 percent of U.S. users and 33 percent of UK users describe themselves as “very familiar” with passkeys, compared to just nine percent in France. Germany shows strong trust in hardware keys (37 percent) but lags slightly in passkey familiarity (23 percent).

Yubico says its 2025 survey paints a clear picture. While legacy authentication remains dominant, global momentum is building toward stronger, phishing-resistant practices. And to secure the digital future, organizations and individuals must act decisively. To move toward a passwordless, phishing-resistant future, closing the knowledge gap around cybersecurity is paramount. Organizations must educate employees on why legacy authentication methods are phishable, and why hardware-backed passkeys offer the strongest protection available against modern cyber attacks like phishing.

Organizations need to equip all users with phishing-resistant MFA, making portable hardware security keys the standard for highest-assurance security. Companies must move beyond legacy systems and adopt modern, phishing-resistant MFA across all applications for all employees, regardless of role or title. Every employee, regardless of role, is a target and needs the same high level of protection, the company believes. Eliminating inconsistent security policies is essential to closing weak points that attackers exploit. 

Frequently Asked Questions (FAQS): 

Q: What is the main finding of Yubico's 2025 Global State of Authentication Survey?

A: The main finding is a persistent disconnect between perceived cybersecurity and actual vulnerability, with many users still relying on outdated and insecure authentication methods.

Q: Why are passkeys important for cybersecurity?

A: Passkeys use biometrics or a PIN for user authentication, making them highly resistant to phishing attacks and providing stronger security compared to traditional methods like usernames and passwords.

Q: Which countries showed the highest increase in concern over AI-driven threats?

A: Japan and Sweden showed the highest increases, with Japan's concern jumping from 31 percent in 2024 to 74 percent in 2025, and Sweden's rising from 37 percent to 68 percent.

Q: What is the primary challenge in passkey adoption according to the survey?

A: The primary challenge is the lack of awareness and education about passkeys. Many users are unfamiliar with them, despite their security advantages.

Q: What steps do organizations need to take to improve cybersecurity, according to Yubico?

A: Organizations need to educate employees about the risks of legacy authentication methods, equip all users with phishing-resistant MFA, and adopt modern, phishing-resistant MFA across all applications for all employees. 

More Related Topics :