Businesses are continuing to rely on passwords, and those that are implementing additional authentication factors are choosing outdated options like static questions and SMS codes that leave them vulnerable to data breaches.
That’s the word from Javelin Strategy & Research’s 2017 State of Authentication Report, based on two online surveys of 200 businesses with customer portals and 200 with employee portals. It found that half of all respondents still use only passwords to protect company IP and financial data. For the half that do offer at least two factors when authenticating their customers, they tend to use the weakest options: Static questions (31%) or SMS one-time passcodes (25%) are the most prevalent additional factors for customer authentication online.
Meanwhile, only 35% of enterprises use two or more factors for authenticating their employees to data and systems. Amongst both, high-assurance strong authentication (i.e., factors predicated on possession such as a security key or on-device biometrics) is rare — only 5% of businesses offer the capability to customers or leverage these within the enterprise. The most common authentication method after passwords is static questions (26%).
“Not all multi-factor authentication combinations are created equal, and it’s time to set a new yardstick with which to measure strong authentication methods, with the strongest deemed ‘high assurance,’” said Al Pascual, senior vice president and research director, Javelin Strategy & Research. “Many consumer devices are coming equipped with built-in capabilities that enable high-assurance strong authentication, reducing costs and complexity for all stakeholders. We believe that the adoption of high-assurance strong authentication will only increase in the months and years to com— and data breaches as the result of credential theft to decline.”
Integration and user experience are the priority: Companies’ implementation of authentication solutions is mostly driven by a solution’s ease of integration, according to the report. Also, if a solution has a perceived negative impact on the user experience, companies will resort to the easier second factors like static security questions.
“So many of our commercial transactions today take place over the internet, and we’ve seen time and again that passwords, and even one-time-passcodes, do not provide sufficient protection against today’s threats,” said Brett McDowell, executive director at the FIDO Alliance, which sponsored the report. “Stronger ‘high-assurance’ authentication options that bind credentials to the device so they cannot be stolen are now widely available.”