A new survey says that 69 percent of organizations are likely to do away with passwords within the next 5 years.The survey found that organizations on average are only protecting 56 percent of their assets with multi-factor techniques. When asked why they had not yet made improvements to their authentication strategy, respondents cited resistance from company executives and disruption to users' daily routine as the top hindrances -- tied at 42 percent. Other reasons for not adopting an improved authentication strategy include:
- Lack of resources to support maintenance - 40 percent
- Steep employee learning curve - 30 percent
- Fear the improvements wouldn't work - 26 percent
"While companies are learning that password-only policies leave their organizations vulnerable, many ITDMs and C-level executives are still hesitant to evolve and update their authentication strategies," said Craig Lund, CEO of SecureAuth. "It's a tough balancing act -- organizations must confirm user identities with the strongest forms of access control while also balancing a positive and non-intrusive user experience. Fortunately, user-friendly adaptive access technologies such as device recognition, threat services, and geo-location look-up, when used in layers helps strengthen any organization's security posture, enabling users to stay both secure and productive with minimal disruption to their daily routines."
Nearly 99 percent of respondents agree two-factor authentication is the best way to protect an identity and its access. However, recent news has shown that many traditional two-factor authentication methods, such as SMS-based one-time passwords, are being circumvented by attackers in well-crafted phishing attacks. Illustrating this inherent risk, the National Institute of Standards and Technology (NIST) recently announced a proposal to no longer recommend two-factor authentication using SMS delivered one-time passcodes as an out-of-band authentication method. Indeed, basic two-factor authentication alone is no longer enough -- and it's time for companies to adapt.
Furthermore, the majority (73 percent) of the respondents cited security questions or knowledge-based authentication (KBA) as the most essential measure for a company to authenticate its users securely. However, attackers often compromise these security questions and answers, greatly increasing an individual's exposure to cybercriminal attacks. Responses to some security questions can also be gleaned from social media sites, social engineering attacks and even a cybercriminal's educated guess.
Encouragingly, other measures deemed essential by ITDMs for their organization's authentication strategy include: device recognition (59 percent); a biometric, such as fingerprint, facial or iris scans (55 percent); one-time passcodes (49 percent); and geo-fencing, geo-location or geo-velocity capabilities (34 percent).
"Organizations are using outdated authentication approaches that require extra steps for users, and are ineffective against today's advanced attacks," said Keith Graham, CTO of SecureAuth. "Legacy two-factor approaches to authentication are no longer enough, and organizations must evolve and strengthen their defenses against cyber adversaries. Those that are forward thinking are implementing modern, behind the scenes adaptive risk checking that increases security while not getting in the way of the end user experience. Strong security during authentication no longer has to be at the expense of the end user -- users and organizations can now have both."