Although multifactor authentication is becoming increasingly popular among companies looking for ways to improve their cybersecurity posture amid the increasing number of sophisticated and damaging cyber attacks, the password-only model of security is still going strong.
Earlier this week, SecureAuth Corporation, a provider of multifactor and adaptive authentication products, announced the results of a market survey of nearly 500 senior-level security executives across a spectrum of industries and company sizes.
The survey revealed exclusive password use is currently on the decline and multifactor authentication is on the rise. Currently, however, 39 percent of respondents use password-only authentication measures, even though insecure passwords have been consistently exploited in cyber attacks in recent years.
“Passwords get a lot of bad press,” said Keith Graham, CTO of SecureAuth, but for the cost for the implementation they are “a low-cost way to enforce a reasonable level of security.”
However, Graham pointed to a number of downsides to the password-only model of security, including that it’s very difficult for individuals to remember long strings of numbers. Moreover, strong passwords are insufficient if they are not changed frequently.
While passwords have their place, Graham says multifactor authentication has taken on greater importance in the past couple of years. The number of high-profile data breaches over the past couple years has spurred public awareness of the increasingly dangerous nature of the cybersecurity landscape. However, the stigma that once accompanied a damaging attack has gradually been replaced with companies portraying themselves as victims.
Although it is encouraging that companies are willing to open up about security breaches instead of sweeping it under the rug like many did in the past, this transparency needs to result in taking greater strides to safeguard the cyber posture of the organization rather than simply becoming resigned to the fact that a breach will happen.
“We found the results of this survey both eye-opening and a bit disappointing,” said Craig Lund, CEO of SecureAuth. “Despite numerous high-profile cyber-attacks this year that exploited compromised passwords, many businesses are simply not taking the necessary precautions, such as deploying adaptive and two-factor authentication.”
Fortunately, 63 percent of those surveyed said their company plans on changing from, or enhancing, the password-only model in the near future. However, this process will take several years for many companies, leaving them vulnerable in the meantime.
Looking five-years ahead, 19 percent of responders indicated their company’s main method of IT security would be passwords, tokens and biometrics, while 18 percent will utilize two-factor authentication and 16 percent don’t know what the status of network security will be for their organization.
According to thereport, the dramatic increase in mobile users has made multifactor authentication even more important, since a single user can access a corporate network from multiple devices. In fact, 37 percent of survey respondents say their users generally employ three devices per week to access the corporate network.
Many companies have numerous authentication policies to meet different regulations. Consequently, one of the major challenges companies face today is normalizing all of their different access and authentication policies.
“There are an abundance of standards that address access – SAML (security assertion markup language), OAuth (Open Authorization), WS-Trust (Web Services Trust Language), WS-FED (Web Services Federation), OpenID, and others – not to mention the various data stores companies have. So choosing the right tool is essential,” the report stated.
When asked who executives were most concerned would compromise the company’s network, nearly two thirds of the respondents said they view employees as their biggest threat.
These fears are not unfounded. Homeland Security Today has reported on numerous occasions over the past year that organizations are increasingly cognizant of the danger posed by insiders, both intentional and unintentional.
Just months ago, Homeland Security Today reported that although the insider threat is on the radar for most organizations, many are repeatedly failing to take the necessary steps to prevent an attack, according to a report sponsored by SpectorSoft and conducted by the SANS Institute.
While there is no silver bullet to authentication, continuous authentication could be the future. The report noted that ensuring that all of a user’s activities on the network are continuously verified could reduce the amount of user inconvenience.
“We hope the survey results will encourage more organizations to evaluate their access control strategies and take recommended measures to improve their security to better protect their user’s identities and detect bad actors in their environment,” Lund said.