Strong cryptographic authentication for consumers up triple from 2017
The use of public key cryptography as one of multiple authentication factors has tripled for consumer authentication and grown by 50 percent for enterprise employee authentication since 2017, according to a new report sponsored by the FIDO Alliance.
Javelin Strategy & Research’s “The State of Strong Authentication 2019” report shows organizations are investing in cryptographically stronger, phishing-resistant forms of authentication in the face of frequent data breaches and increasingly sophisticated phishing attacks. It also indicates that PSD2 and data protection regulations in the EU and U.S. states are driving the adoption of strong authentication, with 70 percent of respondents agreeing that they face regulatory pressure to provide customers with strong authentication.
“It’s great to see that organizations are recognizing that passwords, and even one-time-passcodes, do not provide sufficient protection against today’s threats,” says FIDO Alliance Executive Director Brett McDowell. “I hope this study helps to raise awareness of new cryptographically-backed authentication capabilities, compliant with industry standards from FIDO Alliance and W3C, now widely available in leading web and mobile app platforms. These capabilities enable applications to bind account credentials to the user’s physical device, so they cannot be phished by remote attackers. Platforms are packaging these security capabilities into more convenient experiences for users — allowing them to use their finger, face or security key to login to all of their favorite websites and applications.”
Despite increasing awareness of the pressures of regulation and cybercrime, two-thirds of business continue to authenticate employees with only passwords, believing they are “good enough” for the kind of information they protect.
Javelin says that not all strong authentication methods are equal, and those based on standards and cryptography, like FIDO, can help organizations lower the costs associated with regulatory compliance, meeting customer expectations, and preventing increasingly sophisticated fraud schemes. The research firm also recommends shifting away from OTPs, as social engineering, phone porting and malware are used to compromise OTP authenticators.
“The increase in strong authentication adoption makes sense given that while data breaches, phishing threats and regulatory pressures have risen, the financial and user experience costs associated with implementing strong authentication have decreased,” said Al Pascual, senior vice president and research director, Javelin Strategy & Research. “What’s less encouraging is that we are finding that the holdouts believe passwords alone are sufficient security. These companies need to realize that even data they may think is low-risk can provide significant value to fraudsters and expose them to regulatory scrutiny. As such, they need to make plans to move to strong authentication now or they will find themselves an attractive target for cybercriminals.”
The FIDO Alliance and Javelin will present the report findings in a webinar on February 7.
A pair of FIDO Alliance standards for biometrics and strong authentication were officially recognized by the ITU in December.