Half of all businesses still only password-protect the company IP and financial data. Those offering additional factors are choosing the weakest and most outdated options including static questions and one-time passwords.
Those are two of the major findings from the Javelin Strategy & Research “2017 State of Authentication Report,” sponsored by FIDO Alliance.
For better protection, Javelin deems high-assurance strong authentication, which merges multifactor authentication with public key cryptography, as the strongest authentication option available and the one it recommends businesses adopt moving forward. The report maintained this method is not susceptible to phishing, man-in-the-middle and/or other attacks targeting credentials — which are known vulnerabilities with passwords, static questions and OTPs.
The report claimed strong authentication has traditionally been synonymous with multifactor authentication. Unfortunately, passwords are not only inherently broken, but also ubiquitous — so practically any current application of MFA becomes undermined by their inclusion.
The report’s key findings show:
- In most cases, the only thing between company IP and hackers is a password: The mass compromise of passwords has contributed to increased risk of fraud on consumer accounts and network-level attacks from credential-stuffing botnet attacks, yet over half of all businesses still use only passwords to protect company IP and financial data.
- Companies are more likely to offer stronger authentication to their customers than their employees within the enterprise, but both segments lag in adopting high-assurance strong authentication: Half of businesses offer at least two factors when authenticating customers but only 35% of enterprises use two or more factors for authenticating employees to data and systems. For both, only 5% of businesses offer high-assurance strong authentication to customers or leverage it within the enterprise.
- Companies still rely upon knowledge and not possession: The weakest authentication factors remain the most popular and common, and they’re based on knowledge, not possession. Businesses use passwords plus static questions (31%) or SMS OTPs (25%) as their additional factors for customer authentication online. In enterprise, the next most common authentication method to passwords is static questions (26%). Factors predicated on possession, such as a security key or on-device biometrics, remain the exception and not the norm.
- Integration and user experience are the priority: A solution’s ease of integration mostly drives companies’ implementation of authentication solutions, according to the report. Also, if a solution has a perceived negative impact on the user experience, companies resort to the easier second factors like static security questions.
Not all multi-factor authentication combinations function equally, Al Pascual, senior vice president and research director, Javelin Strategy & Research, said. “It’s time to set a new yardstick with which to measure strong authentication methods, with the strongest deemed ‘high assurance. Many consumer devices are coming equipped with built-in capabilities that enable high-assurance strong authentication, reducing costs and complexity for all stakeholders.”
“So many of our commercial transactions today take place over the internet, and we’ve seen time and again that passwords, and even one-time-passcodes, do not provide sufficient protection against today’s threats,” Brett McDowell, executive director, FIDO Alliance said.
The FIDO (Fast IDentity Online) Alliance is a non-profit organization formed in July 2012 to address the lack of interoperability among strong authentication devices and the problems users face with creating and remembering multiple usernames and passwords.
