I am used to reading articles calling for passwords to be replaced, in fact I have written a number of them myself. However, I was shocked to read the headline on DARKreading “Multi-factor IT Authentication Hampers Progress, Says 47% US Companies”. However, should I have been surprised?
Maybe yes and maybe no.
The story was based on a survey by IS Decision which indicates people working in the US are losing 22 minutes per week due to complicated security steps. It also reports that 28% of companies rejected multi-factor verification because of infrastructure issues.
Judging by conversations my team and I have with people using or running security systems of all shapes and sizes, the truth is that people can lose just as much time each week, or more, dealing with non-complicated security steps. Whether you are the worker who has forgotten his password (or failed to reset it in time), or the person working on the IT helpdesk that is handling these issues day in day out.
However, to address the issue of ‘complicated security’, I strongly suspect many of the people surveyed are talking about their experience of just one type of multi-factor system – the dreaded hard-token. Ask anyone that is still required to use a hard-token and you will get similar negative responses. Whilst I appreciate that this type of multi-factor system has for a long time delivered strong authentication, it is very much old technology, hanging around like a bad penny because it was so expensive to invest in once upon a time, and perceived to be too complex to change it now.
New approaches to multi-factor authentication have emerged that address head-on the issues of hampering progress and infrastructure. Where hard-tokens are very resource hungry in terms of cost to procure, implement and roll-out (and then the not insignificant running costs) new approaches to multi-factor leverage investments that have already been made by the organisation. Why buy thousands of hard-tokens when the mobile devices in every worker’s pocket, that they carry with them everywhere, can perform the same task? As a result, roll-out to thousands of devices (regardless of where they are in the world) can be done in minutes and hours, rather than days and weeks.
My plea to the 28% of companies that have chosen to reject multi-factor altogether is to have a closer look at the next generation of authentication solutions. It is no longer a one-size-fits-all, take it or leave it market. The latest authentication systems are affordable, scalable and flexible. A great example of this is the emergence of 1.5FA for instances where security greater than a password is required but full 2FA would be overkill.
Threats to companies are multi-faceted. What is more, industry regulators and governments are only going to get tougher and tougher on organisations that do not take the right steps to safeguard against attacks and data breaches. When running an authentication system, it should never be a trade-off between enhanced security, the user experience and productivity, and now it doesn’t have to be.
You can read the DARKreading article in full at: http://www.darkreading.com/operations/multi-factor-it-authentication-hampers-progress-say-47–us-companies/d/d-id/1326858