A new study, 2017 State of Authentication, examines how businesses are implementing authentication, their motivations for choosing authentication technologies and approaches, and how the evolving threat environment has given rise to new, more effective means of authenticating customers and employees in today’s digital world.
Digital channels are becoming the go-to places where consumers interact with businesses and each other. To accommodate their customers and better manage their organizations in a digital world, businesses have become incredibly dependent on a web of systems both on and off their networks to manage, store, and transmit diverse information such as financial accounts, personally identifiable information, intellectual property, transaction records, etc.
Authentication is central to the ability of these businesses to effectively secure access to consumer-facing digital channels and the systems that underpin their operations.
Strong authentication is evolving. Strong authentication has traditionally been synonymous with multifactor authentication (MFA). Unfortunately, passwords are not only inherently broken, but also ubiquitous — so practically any current application of MFA is being undermined by their inclusion. A superior approach — high-assurance strong authentication — merges MFA with strong cryptography. In this model, in which two or more factors are in use, at least one leverages public key infrastructure (PKI) through a protocol such as FIDO to prevent replay attacks.
Traditional strong authentication is broadly available for customers, but adoption lags in the enterprise. Industry initiatives and regulations have resulted in broad availability of traditional strong authentication both for customers and within the enterprise. Fifty percent of businesses offer at least two factors when authenticating their customers, though within the enterprise only 35% of businesses use two or more factors to secure access to their data and systems.
A lack of high-assurance strong authentication is leaving businesses exposed. High-assurance strong authentication is rare — only 5% of businesses offer the capability to customers or leverage it within the enterprise. This represents a clear area of opportunity for criminals and other threat actors, who are increasingly able to circumvent different authentication solutions, regardless of how many they may encounter during a single session.
Mobile devices are a clear driver of traditional strong authentication. Facilitating both possession-based authentication (e.g., device fingerprinting, SMS-based onetime passwords (OTP), etc.) and inherence-based authentication (e.g., fingerprint scanning, voice recognition, etc.), mobile devices have increased the opportunity for businesses to leverage more than just passwords to authenticate their customers and employees.
Knowledge and possession factor solutions are the most common combination in a multifactor scheme. Passwords are supported by all businesses that provide access to customer accounts, and along with other knowledge factor solutions are the most popular for customer authentication. This is followed by those that are predicated on possession (e.g., security keys, hardware one-time password tokens, etc.), and solutions based on inherence (e.g., biometrics)
are in a distant third place.
Accuracy and customer loyalty are key. To win support of businesses, authentication solutions must prove their effectiveness in both keeping bad actors out and ensuring a positive security perception for good ones. It is notable that, while customer loyalty tops the list, low customer
friction falls to the bottom, indicating that many businesses see friction as not only unavoidable, but perhaps also beneficial in persuading customers that their site is secure.
A third of US businesses have had customer information breached — including the very information businesses rely on to authenticate their customers. The mass compromise
of passwords has contributed to increased risk of fraud on consumer accounts and network-level attacks from credential-stuffing botnet attacks.
Ease of integration and compliance with industry standards are seen as more important for employee authentication. While ease of use is perceived as an important factor in selecting employee authentication solutions, it ranks behind ease of integration with existing systems and certification to industry standards. No one attribute stood out as being of leading importance in
employee authentication methods.
Responsibilities to clients aren’t registering as a motivator to secure the enterprise. Despite an environment in which regulators and industry associations are leaning on businesses to ensure vendors and partners are using strong security, few businesses consider contractual obligations to
clients for more stringent security when selecting authentication methods.
Unfortunately, more than half of U.S. companies protect IP and company financial information using only passwords. Although traditional strong authentication is widely used by businesses in the enterprise, this does not mean that all systems and data are secured with anything better than a password. Most aren’t.
Businesses, especially retailers, are most concerned about third-party breaches. 65% of businesses report being highly concerned with the threat posed to their business by third-party breaches, compared with 57% for employee fraud and abuse, and 52% for breaches by insiders such as employees, contractors, or vendors. While third-party breaches are undoubtedly concerning, this ranking raises the prospect that businesses are overlooking the threat posed by malicious actors entering through trusted channels.
When criminals breach a business and target the company’s data, they most often go where the money is, but the company’s competitive differentiators are also attractive. Among all types of enterprise data compromised, company financial data tops the list (46% of
cases), followed closely by company intellectual property (44% of cases).