Javelin Study Finds Authentication at Crossroads as Password Reliance Persists, Availability for Stronger Options Increases

LAS VEGAS, Oct. 24, 2017 -- Businesses are continuing to rely on passwords, and those that are implementing additional authentication factors are choosing outdated options like static questions and SMS one-time passwords (OTPs) that leave them vulnerable to data breaches, according to Javelin Strategy & Research’s new “2017 State of Authentication Report” released today. Javelin recommends businesses adopt readily-available high-assurance strong authentication, which utilizes public key cryptography as one of multiple factors, to bolster security in light of increasingly effective attacks against traditional authentication methods.

The report, sponsored by the FIDO Alliance, analyzes the state of customer and enterprise (employee) authentication amongst U.S. businesses. It examines how strong authentication is evolving, and offers a detailed breakdown on the factors influencing industries’ adoption of authentication solutions. It is available for download at https://fidoalliance.org/2017-state-authentication-report/.

The report’s key findings show:

• In most cases, the only thing between company IP and hackers is a password: The mass compromise of passwords has contributed to increased risk of fraud on consumer accounts and network-level attacks from credential-stuffing botnet attacks, yet over half of all businesses still use only passwords to protect company IP and financial data.
   
• Companies are more likely to offer strong authentication to their customers than their employees within the enterprise, but both segments are lagging in adopting high-assurance strong authentication: 50 percent of businesses offer at least two factors when authenticating their customers but only 35 percent of enterprises use two or more factors for authenticating their employees to data and systems. Amongst both, high-assurance strong authentication is rare — only five percent of businesses offer the capability to customers or leverage it within the enterprise.
   
• Companies still rely upon knowledge and not possession: The weakest authentication factors remain the most popular and common, and they’re based on knowledge, not possession. Businesses are using passwords plus static questions (31 percent) or SMS OTPs (25 percent) as their additional factors for customer authentication online. In enterprise, the next most common authentication method to passwords is static questions (26 percent). Factors predicated on possession such as a security key or on-device biometrics remain the exception and not the norm.
   
• Integration and user experience are the priority: Companies’ implementation of authentication solutions is mostly driven by a solution’s ease of integration, according to the report. Also, if a solution has a perceived negative impact on the user experience, companies will resort to the easier second factors like static security questions.

“Not all multi-factor authentication combinations are created equal, and it’s time to set a new yardstick with which to measure strong authentication methods, with the strongest deemed ‘high assurance,’” said Al Pascual, senior vice president and research director, Javelin Strategy & Research. “Many consumer devices are coming equipped with built-in capabilities that enable high-assurance strong authentication, reducing costs and complexity for all stakeholders. We believe that the adoption of high-assurance strong authentication will only increase in the months and years to come -- and data breaches as the result of credential theft to decline.”

High-assurance strong authentication is not susceptible to phishing, man-in-the-middle and/or other attacks targeting credentials -- which are known vulnerabilities with passwords, static questions and OTPs. Javelin recommends companies strongly consider high-assurance strong authentication:

• To bolster authentication after a breach. Supplement and possibly knowledge factor solutions. In the event of a breach, businesses would do well to layer additional, high-assurance authentication solutions simultaneously with their remediation plan.
   
• As a differentiator when emphasizing the value proposition with prospective clients. Using high-assurance strong authentication is both an effective preventative measure and a message to prospects and clients that they are safe doing business with a vendor.
   
• Where it counts within the enterprise. Anything internet-facing and internal systems that are attractive targets for insider threats should have high-assurance strong authentication.

“So many of our commercial transactions today take place over the internet, and we’ve seen time and again that passwords, and even one-time-passcodes, do not provide sufficient protection against today’s threats,” said Brett McDowell, executive director, FIDO Alliance. “Stronger ‘high-assurance’ authentication options that bind credentials to the device so they cannot be stolen are now widely available and this report provides businesses a clear guide to make those options available to both customers and employees.”

Javelin’s Al Pascual and the FIDO Alliance’s Brett McDowell will discuss the “2017 State of Authentication Report” during a workshop, “Identity is Fundamental: What You Need to Know About Identity & The Future of Money” on Oct. 25 at Money20/20. For more details, visit: https://us.money2020.com/sessions/identity-is-fundamental-what-you-need-to-know-about-identity-the-future-of-money

Anyone interested taking a deep dive into the 2017 State of Authentication Report should attend a free webinar on Thursday, Nov. 16 at 12:00pm ET. Register here for the Javelin Research 2017 State of Authentication Report Webinar. 

Report methodology:
The “2017 State of Authentication Report” was developed by Javelin Strategy & Research and sponsored by the FIDO Alliance. The report findings are based on data and insights gathered from two online surveys of 200 businesses who possess authenticated customer online or mobile portals and 200 businesses who possess authenticated employee portals. Findings are also augmented by in-depth interviews conducted with industry executives in roles influencing enterprise authentication policies.  The definition of High Assurance Strong Authentication is based on updated guidance from the National Institute of Standards and Technology (NIST SP800-63-3).

About FIDO Alliance
The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO authentication is stronger, private, and easier to use when authenticating to online services. 

CONTACT:
Megan Shamas
Montner Tech PR
203-226-9290
[email protected]