Single-factor, password-based authentication – and even many traditional two-factor approaches – are no longer enough to secure today’s increasingly digital world.
These techniques, including username, passwords and security question credentials do not sufficiently protect organisations and the critical data they hold, as seen in the spate of recent breaches such as Yahoo!
According to the 2016 Verizon Data Breach Investigations Report, 63% of the attacks it studied leveraged weak, default or stolen credentials at some point in the attack.
This indicates that, in order to combat the rising tide of credential abuse, organisations must implement stronger forms of authentication.
Despite this, users and organisations are still slow in adopting stronger security measures.
Some organisations have a tough time finding ways to increase security without creating a lot of resistance from either employees or customers.
Especially as most employees don’t always think about security as their priority, while customers just want to access their accounts as quickly as possible.
Most employees hate additional authentication steps or hoops to jump through.
- Having to adhere to a strong password policy – logging in, logging in again, waiting for access, changing passwords every 90 days, complex passwords that are difficult to remember.
- Using antiquated two-factor authentication with cumbersome hardware tokens: adding a PIN code at every log-in, carrying around a hardware token, not to mention the expense to the organisation of replacing tokens and the support/maintenance drain on IT staff.
- Waiting on hold with Help Desk instead of immediately being able to help ourselves with tools like self-service password reset and account unlocking.
>See also: Why are Google killing the password?
Individuals can make it easier on themselves by adapting and selecting access capabilities to fit their needs, removing barriers to adoption.
In October, SecureAuth conducted a survey on IT decision makers in the US and found that 69% of respondents say their organisation is likely to do away with passwords within the next five years.
This is good news. A growing movement of individuals and businesses opting for an authentication overhaul means there is a real understanding of the limitations of existing protocols and a concerted drive to limit the potential for future network breaches.
It’s in everyone’s best interest to make it more difficult for attackers to cause further damage to our economy.
Yet, these advocates often face multiple challenges from their company’s executives.
Top reasons hindering authentication strategy improvements cited by respondents to SecureAuth’s survey include:
1. Disruption to users’ daily routine.
2. Lack of resources to support maintenance.
3. Steep employee learning curve.
4. Fear the improvements wouldn’t work.
However, multi-factor authentication need not be disruptive, a simple user experience can be maintained.
User-friendly adaptive access technologies such as device recognition, threat services (leveraging information from a network of 11 million advanced threat sensors to determine blacklisted IP addresses), and geo-location look-up.
When used in layers, such techniques can strengthen any organisation’s security posture.
This enables users to stay both secure and productive with minimal disruption to their daily routines.
It’s time for companies to adapt and move away from the simple password.
To future-proof, organisations must look to invest in such adaptive authentication that contextualises the above elements for accurate user identification.
Importantly these techniques all happen behind the scenes, increasing security at the same time as not getting in the way of the end user experience.
Eliminating passwords removes any reliance on them and means that compromised credentials are no longer a risk.
Strong security during authentication no longer has to be at the expense of the end user, workers and organisations can now have both. It doesn’t have to be a compromise.
Sourced by James Thompson, director EMEA, SecureAuth