The password’s time has come

Many organisations are waking up to the data breaches of 2016 and are adopting a fundamentally new approach to authentication.

The scale of data breaches in 2016 was unprecedented, with more than 2.2 billion records stolen and nearly 3,000 public data breaches such as the theft of 117 million LinkedIn accounts.

A more robust and adaptive approach is needed to provide maximum protection and enterprises must explore new authentication solutions.

A study released by SecureAuth today revealed that a stark 83% (4 in 5) of IT decision makers (ITDMs) predict their organisations will be passwordless in five years’ time.

It is evident from this, and general industry trends, that organisations are moving beyond passwords, and even simple two-factor authentication (2FA) to stronger methods to prevent the misuse of stolen credentials.

>See also: Think before you speak: voice recognition replacing the password

A deeper dive into the data finds that in five years’ time southern organisations are more likely to move beyond passwords compared to their northern counterparts (86% vs 60%).

Continuing the trend, only two in ten (17%) still intend to deploy passwords as the sole means of authentication, while nearly half (49%) of millennial ITDMs think their organisation will do away with passwords, compared to only a third (32%) of 35-54 year olds.

The UK’s US counterparts are further behind the curve, with only 69% of ITDMs saying they would phase out passwords in this time frame.

When asked which identity and access methods they predict to have implemented in five years’ time nearly half of respondents said physical biometrics (49%), followed by device recognition techniques (30%), 2FA (30%) and geographic capabilities (29%).

The rise and fall of two-factor authentication

Following a similar survey last year, the implementation of 2FA has grown by 40% from 2015 to 2016 (2% vs. 42%), but will fall to 30% in 2021.

With the General Data Protection Regulations (GDPR) coming into place in 2018, which says all organisations must have at least 2FA in place or face potential fines of up to €20 million or 4% of global annual turnover, participants are divided on its protective capabilities.

47% think it’s the best way to defend an identity, but more than half of IT professionals (52%) disagree.

>See also: Password ignorance will lead to cyber attacks

“It’s not surprising to see a divided opinion of 2FA,” said Keith Graham, SecureAuth chief technology officer. “ITDMs face an ongoing battle as they feel they are forced to choose between increased security and good user experience. This is a paradigm for the old, broken approach that lets attackers through the front door.”

“It is possible to both strengthen security and not interfere with user’s experience with adaptive authentication techniques. This fundamentally new approach integrates with existing infrastructures to perform risk-analysis that simultaneously strengthens prevention, detects risks and works invisibly to the user.”

Strong security vs. positive user experience

The extensive survey revealed that 27% of ITDMs said the fear of disrupting users’ daily routine was holding them back from enhancing their authentication strategy.

Also, a quarter of users preferred access to their resources without any secondary steps. So while ITDMs are ready to embrace adaptive authentication and passwordless technologies from biometrics to geographic based capabilities, challenges remain. Yet it need not be this way.

>See also: Are the Brits too trusting of biometric security?

“While 2FA methods are certainly better than username and password alone, over 15 years of experience shows users don’t want to take extra steps to secure themselves,” said Graham.

“Technology has to better solve the problem so that users can adopt without friction. Modern approaches such as adaptive access control techniques bring greater security to these organisations attempting to ‘close their front door’ to attackers, while not bothering authorized users unless there is risk. Users must buy in to help companies close the front door to prevent becoming the next mega breach in the news.”

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...