Use a password at work? You probably won’t for much longer

Traditional passwords will get the elbow from the majority of companies over the next five years

Are you still typing in a password for logins at work? Odds are that you won’t be for too much longer, seeing as the vast majority of organisations are planning to dump traditional passwords within the next half a decade, moving to more secure methods of authentication instead.

According to a new survey which took in the opinions of over 200 IT decision-makers in the US (commissioned by SecureAuth and carried out by Wakefield), no less than 69% of firms said they’ll ditch passwords within the next five years.

SecureAuth pointed to the recent massive Yahoo breach (which is still making its fallout felt in terms of the Verizon deal) and other big leaks which spilled countless numbers of usernames and passwords as one major reason why businesses are looking for alternatives to the traditional password.

Of course, password authentication with just a single-factor of verification is obviously particularly weak and vulnerable to such breaches, yet the survey found that companies were only using multi-factor authentication to protect 56% of their assets.

Craig Lund, CEO of SecureAuth, observed that: "Single-factor, password-based authentication – and even many traditional two-factor approaches – are no longer enough in today's increasingly digital world. And with costs associated with cyber-attacks totalling millions of dollars a year, it's in everyone's best interest to make it more difficult for attackers to cause further damage to our economy."

Disruption fears 

So why are businesses failing to adopt multi-factor verification in more cases? This question was posed to the IT bigwigs, and the most common excuse was the reticence of company executives, and also the potential for disruption to the daily routine of staff.

Both of those points were tied on 42% as the foremost reasons. Close behind them were complaints about a lack of resources to support maintenance of such systems (40%), and the fact that they potentially involve a steep learning curve for staff members (30%).

The simple fear that multi-factor techniques might not work or wouldn’t make any difference was also a factor for 26% of respondents.

Almost everyone questioned – 99% of these IT decision-makers – agreed that two-factor authentication was the best form of protection, yet as Lund said previously, even the two-factor approach isn’t strong enough in some cases. He pointed to the use of codes sent via text message as a second-factor of authentication, a method which has been circumvented by malicious parties in recent attacks.

Knowledge-based authentication (i.e. security questions like the maiden name of your mother) were also cast in a doubtful light, in terms of the answers often being readily discernible to those who comb the likes of social media profiles.

Security essentials 

Even so, 73% said that such security questions were an essential measure for a company to implement in terms of authentication. SecureAuth, however, also points out that stronger defensive measures were also cited as essential – including device recognition (which 59% of respondents mentioned), biometric authentication such as fingerprint recognition (55%), and geolocation capabilities (34%).

Businesses should be looking towards such stronger measures, and SecureAuth also underlined the fact that organisations should be bolstering defences beyond “legacy two-factor approaches” to include “behind the scenes adaptive risk checking that increases security while not getting in the way of the end user experience.”

Of course, that’s the key to introducing any additional layers of security – if it frustrates users, it’s not likely to go down well, or be a tenable long-term strategy.

Via: PC World