Security adoption is inherently tied to usability. And unfortunately, three-quarters of respondents in a recent SecureAuth survey who use two-factor authentication (2FA) admit that they receive complaints about it from their users—and nearly 10% of them just “hate it.”
That 74% dissatisfaction rate is a noticeable turnaround from the 2016 SecureAuth survey, which revealed 99% of IT departments believed two-factor authentication was the best way to protect an identity and its access.
“It’s not surprising that organizations are receiving an increasing amount of complaints about 2FA,” said Craig Lund, CEO and founder of SecureAuth. “IT professionals face an ongoing battle as they are frequently forced to choose between user experience and increased security. This should be a false paradigm in 2017. Adaptive authentication solutions provide world-class security without impacting usability. That’s because risk checks are done without users even being aware of it—and two-factor authentication is applied only if risks are detected.”
Adaptive authentication is a method for selecting the right two-factor or multi-factor authentication factors depending on a user’s risk profile and tendencies—in other words, for adapting the type of authentication to the situation. To implement this, the system admin can set static policies defining risk levels for different factors, such as user role, resource importance, location, time of day, or day of week; and/or, the system can learn the typical activities of users based on their tendencies over time. This learned form of adaptive authentication is similar to behavioral correlation.
The survey reveals that while 56% of organizations are using 2FA in many instances, 37% of IT decision-makers are moving towards adaptive authentication. In addition, a further 16% are preparing to implement or expand adaptive authentication in the next 12 months.
Further, when examining large organizations (2,500 or more employees), the usage of adaptive rises to 41%. Additionally, 20% of medium-sized businesses, those with 250-2,499 employees) are planning to implement or expand adaptive authentication in 2017.
On the flip side, IT decision makers from small organizations were significantly less likely than those from larger organizations to implement or expand adaptive authentication in the next 12 months (24% and 42%, respectively). Despite their lack of implementation, 73% of the respondents from small organizations said they were concerned about the potential misuse of stolen credentials and identities to access their organization’s assets and information. A key component for this contrast may be found in cybersecurity spending; for example SecureAuth’s December 2016 survey revealed a slowing in budget increases between 2015 and 2016. It is clear that smaller budgets have left small organizations vulnerable to breaches by way of stolen credentials.
“These findings indicate there is an upheaval for adaptive authentication solutions beyond 2FA and the traditional password,” says Lund. “Organizations are already implementing stronger methods of user authentication, including adaptive access control and multi-factor authentication. By layering adaptive techniques such as device recognition, geo-location, the use of threat services, and even behavioral biometrics, organizations can verify the true identity of the end user while still providing positive user experience.”
Photo © Monika Wisniewska