SecureAuth Corporation, the leader in adaptive access control, today reveals that many organisations are waking up to the data breaches of 2016 and are adopting a fundamentally new approach to authentication. With a stark 83% (4 in 5) of IT decision makers (ITDMs) predicting their organisations will be passwordless in five years’ time, it is evident organisations are moving beyond passwords, and even simple two-factor authentication (2FA) to stronger methods to prevent the misuse of stolen credentials.
A deeper dive into the data finds that in five years’ time:
- Southern organisations are more likely to move beyond passwords compared to their Northern counterparts (86% vs 60%)
- Only two in ten (17%) still intend to deploy passwords as the sole means of authentication
- Nearly half (49%) of millennial ITDMs think their organisation will do away with passwords, compared to only a third (32%) of 35-54 year olds
- Our US counterparts are further behind the curve, with only 69% of ITDMs saying they would phase out passwords in this time frame
When asked which identity and access methods they predict to have implemented in five years’ time nearly half of respondents said physical biometrics (49%), followed by device recognition techniques (30%), 2FA (30%) and geographic capabilities (29%).
The Rise and Fall of Two-Factor Authentication
Following a similar survey last year, the implementation of 2FA has grown by 40% from 2015 to 2016 (2% vs. 42%), but will fall to 30% in 2021. With the General Data Protection Regulations (GDPR) coming into place in 2018, which says all organisations must have at least 2FA in place or face potential fines of up to €20 million or 4% of global annual turnover, participants are divided on its protective capabilities. While 47% think it’s the best way to defend an identity, more than half of IT professionals (52%) disagree.
“It’s not surprising to see a divided opinion of 2FA, ITDMs face an ongoing battle as they feel they are forced to choose between increased security and good user experience. This is a paradigm for the old, broken approach that lets attackers through the front door,” said Keith Graham, SecureAuth chief technology officer. “It is possible to both strengthen security and not interfere with user’s experience with adaptive authentication techniques. This fundamentally new approach integrates with existing infrastructures to perform risk-analysis that simultaneously strengthens prevention, detects risks and works invisibly to the user.”
The scale of data breaches in 2016 was unprecedented, with more than 2.2 billion records stolen and nearly 3,000 public data breaches such as the theft of 117 million LinkedIn accounts. A more robust and adaptive approach is needed to provide maximum protection and enterprises must explore new authentication solutions.
Strong Security vs. Positive User Experience
In fact, 27% of ITDMs said the fear of disrupting users’ daily routine was holding them back from enhancing their authentication strategy. Also, a quarter of users preferred access to their resources without any secondary steps. So while ITDMs are ready to embrace adaptive authentication and passwordless technologies from biometrics to geographic based capabilities, challenges remain. Yet it need not be this way.
“While 2FA methods are certainly better than username and password alone, over 15 years of experience shows users don’t want to take extra steps to secure themselves,” said Graham. “Technology has to better solve the problem so that users can adopt without friction. Modern approaches such as adaptive access control techniques bring greater security to these organisations attempting to ‘close their front door’ to attackers, while not bothering authorized users unless there is risk. Users must buy in to help companies close the front door to prevent becoming the next mega breach in the news.”