Two-Factor Fallacy: 99% Still Believe Two-Factor Authentication is Enough

Two-Factor Fallacy
Author: 
Craig Lund

On the heels of recent mega breaches in which usernames, passwords and security responses were compromised, there’s a growing movement from individuals and businesses for an authentication overhaul. Clearly single-sign on, password-based authentication – and even more traditional two-factor approaches are no longer enough in today’s digital world.

SecureAuth recently issued a survey, in conjunction with Wakefield Research, to gain insight into IT Decision Makers’ (ITDMs) security and authentication practices. The responses were astounding with as many as 99 percent of respondents reporting that two-factor authentication is the best way to protect an identity and its access.

Two-factor Authentication is NOT Enough

Despite a false-sense of security, it’s clear that two-factor authentication is no longer enough. Attackers are learning how to intercept text messages, and as result the National Institute of Standards and Technology (NIST) recently announced they are no longer recommending two-factor authentication using SMS delivered one-time passcodes. A popular Twitter activist had his account compromised after the perpetrator called his mobile provider and convinced them to direct his text messages to a different SIM card — thus enabling the attacker to bypass two-factor authentication. And in case you’re thinking that the problem stops at public figures, SIM card switching scams have become so prevalent that New York’s Division of Consumer Protection recently issued an official warning.

Surprisingly, the survey also found that when it comes to authentication, age is a key factor. Survey results found that younger ITDMs know the insecurity that traditional passwords can bring to an organization’s sensitive assets – and they’re pretty sure they’ll be gone within five years. Indeed, 84% of ITDMs under 40 feel that their organization will do away with passwords completely within the next five years – compared to just 51% of ITDMs 40+.

Passwords Are Going the Way of the Dinosaur

No matter what a company’s authentication strategy looks like today or IT decision-makers’ specific age, they are clear on one thing: traditional passwords are on their way out. 69% of ITDMs feel that their organization will do away with passwords completely within the next five years. But clearly users are misinformed on the value of two-factor authentication.

With recent large-scale breaches, it’s time for companies to adapt. However, here’s one reason companies may be slow to change: ITDMs don’t always have the power to enforce greater security. In fact, one of the top reasons ITDMs have not made improvements to their authentication strategy is resistance from company executives (42%). Worry about disrupting users’ daily routine is also a chief concern (42%). Other obstacles include a lack of resources to support maintenance (40%), a steep employee learning curve (30%) and fear that the improvements won’t work (26%).

Many breached companies and skittish organizations invest in new security point solutions after a breach in hopes of preventing the next attack. But many breaches aren’t swift attacks; instead attackers often gain access with valid user credentials, then linger in the system undetected for a median number of 146 days before being discovered according to Mandiant M-Trends 2016 Report. And while big breaches make the headlines, even a small breach can permanently poison a company’s brand and financial future.

Better Protection – Balancing Act Between Better Methods and User Experience

Alarmingly in spite of these large-scale ramifications, IT decision-makers revealed that just 56% of their organization’s assets are protected by multi-factor authentication. That means that nearly half of company assets are at risk. So where is the gap – why aren’t all organizations implementing more secure authentication? It’s a tough balancing act – organizations must confirm user identities with the strongest forms of access control while balancing a positive, non-intrusive user experience.

Fortunately, user-friendly adaptive access technologies such as device recognition, threat service and geo-location look-up, when used in layers helps strengthen organizations’ security posture, enabling users to stay both secure and productive with minimal disruption to their daily routines. In place of passwords, ITDMs have a few ideas on what’s essential for a company to have in order to authenticate its users securely. These include:

  • Security questions or knowledge-based authentication (73%)
  • Device recognition (59%)
  • Physical biometric, such as fingerprint, facial or iris scans (55%)
  • One-time passcodes (49%)
  • Geo-fencing, geo-location, or geo-velocity capabilities (34%)

Two levels of security is not enough anymore – it’s time for companies to adapt. Companies are learning that password-only policies leave organizations alarmingly vulnerable. Instead, organizations must confirm user identities with the strongest forms of access control while balancing a positive and non-intrusive user experience. Making use of “recognition technologies” such as device recognition, threat intelligence, IP reputation and behavioral biometrics in layers helps strengthen any organization’s security posture beyond just two-factor authentication. These advances in techniques help form a new adaptive authentication shield and help users stay both secure and productive with minimal disruption to their daily routines, creating a win-win for modern organizations.

Learn how SecureAuth is redefining adaptive authentication and, ultimately, making passwords obsolete.

Resource Category: