(Source – Shutterstock)

Relying only on multi-factor authentication may not be sufficient to deal with cyberattacks

Getting your Trinity Audio player ready...

When it comes to cybersecurity, authentication methods remain the key tool in intensifying the security of an organization. Be it zero-trust, multi-factor authentication (MFA), or biometrics, all these methods are what authentication is all about.

Over the years, authentication methods for organizations have evolved with passwords being the most common method. Prior to passwords, in the past, before the age of computers, authentication methods would normally be the ability to recognize a person or subject before permitting them.

Those same methods have not been enhanced, improved and implemented into modern authentication tools. For example, biometrics is mostly all about recognizing fingerprints while recognition tools authenticate by identifying the physical features of users, be it facial, eyes, or even palms. Even then, these authentication tools were still not sufficient. Hence, businesses started implementing MFA.

Authenticating users is only one part of cybersecurity. There was also the need to authenticate devices and the network. All of these were being exploited by cybercriminals to launch cyberattacks on organizations all around the world.

According to SecureAuth’s inaugural State of Authentication Report, conducted by ViB Research, IT and security professionals are worried about the security risks of traditional MFA, with 55% reporting that relying on one-time passwords (OTP) using texts and phone calls leaves them open to cyberattacks.

The report provides deep insights into the state of authentication and the latest innovation adoption trends including invisible MFA, device trust, and passwordless technologies based on a survey of IT and security professionals from mid to large enterprises in North America. While the survey is focused on North America, the problem faced by enterprises there is pretty much the same as those around the world as well.

There is no denying that organizations continue to be under tremendous pressure to rethink the effectiveness of current authentication initiatives. Additionally, cyber insurance carriers are requiring companies to demonstrate strong controls over authentication before they will provide any cyber insurance coverage or pay higher premiums. Although respondents agree that traditional MFA is better than nothing, they are most concerned with its susceptibility to cyberattacks (54%) and the friction it creates for users (30%).

What’s alarming is that only 5% of respondents are very confident that traditional MFA can combat credential-related cyberattacks while 40% are somewhat confident. An additional 21% feel traditional MFA cannot be used as an effective hacker deterrent because user adoption rates are too low. And over half of those surveyed are either not sure or concerned that their organization will lose cyber insurance coverage if they continue with traditional MFA.

Is passwordless the future of authentication?

On the question of moving to a passwordless environment, a whopping 65% are planning on implementing passwordless technologies in the next 24 months. Nearly a third are planning to do so in the next six months, and another third are looking at the 12-24 month horizon.

In fact, more tech providers are also making their products passwordless. For example, Microsoft has already enabled passwordless authentication for some of its products including email services.

“In FIDO Alliance’s 2022 Online Authentication Barometer report, we found that password usage was down, however, 70% of people still had to recover a password at least once in a given month,” stated Andrew Shikiar, Executive Director and CMO of FIDO Alliance.

“Although companies are offering more ways to authenticate such as legacy MFA solutions, these technologies are still easily exploitable with ‘MFA bombing’, ‘man-in-the-middle’, and other attacks. SecureAuth’s State of Authentication Report further validates that it is time for organizations to move beyond legacy forms of MFAs and onto passwordless technologies,” added Shikiar.

Other findings from the report also indicated that authentication security is a top priority as 84% of respondents consider authentication and access management as the top 5 security priorities. These results demonstrate the importance of authentication and access management for IT and security teams in an extremely crowded market and threat landscape.

Another interesting finding is that 76% of respondents use multiple identity providers (IdPs), a surprising trend in contrast to the usual consolidation of cybersecurity tools. The respondents highlighted high availability or failover, unique use case requirements, and preferred best-of-breed approach reasons. As over 80% of cyberattacks focus on credentials, practitioners need to have a backup system in case their primary IdP product goes down or is compromised by an attack.

There is also another concern in authentication as device trust isn’t used at all according to 25% of the respondents. Under 50% of respondents use it for mobile security while only 25% use it for safeguarding Mac workstations. This indicates that organizations are missing a simple, but effective way to improve their security posture by not using device trust as the start of every user’s digital journey.

For Paul Trulove, CEO of SecureAuth, many organizations are making steady progress in protecting customer and employee accounts and credentials from malicious activity.

“However, based on this survey, it’s clear that traditional authentication approaches, which are dependent on legacy MFA, have not kept up with adversarial advancements, and more needs to be done to ensure credentials are safe from cyberattacks. It’s reassuring to see that an overwhelming number of organizations are planning to implement passwordless authentication technology within the next two years. But passwordless is not enough. Organizations need to move towards continuous authentication that manages a user’s entire digital journey from pre-authentication to post-authorization to be truly secure and provide users with a frictionless experience,” mentioned Trulove.