Report shows data breaches, phishing and regulations are driving rapid adoption of strong authentication

As data breaches and increasingly sophisticated phishing attacks continue to drive online account compromise and financial loss, organisations are finally stepping up and investing in stronger, phishing-resistant forms of authentication, Javelin Strategy & Research’s new “The State of Strong Authentication 2019” report has found.

The report, sponsored by the FIDO Alliance, analyses the state of customer and enterprise (employee) authentication amongst U.S. businesses and draws conclusions on the role strong authentication is playing in protecting accounts and securing access to valuable data and critical systems.

In the report, Javelin’s key findings and recommendations show:

• Strong authentication implementations have grown dramatically since 2017. The number of organisations using cryptographically-backed strong authentication, where one of multiple authentication factors uses public key cryptography, has tripled since 2017 for consumer authentication and increased by nearly 50 percent for enterprise authentication in the same period. This form of authentication is not susceptible to phishing, man-in-the-middle and/or other attacks targeting credentials -- which are known vulnerabilities with passwords and one-time passwords (OTPs)
   
• Regulation is accelerating strong authentication adoption. Nearly 70 percent of businesses agree they face strong regulatory pressure to provide strong authentication for their customers. This is attributed to the introduction of PSD2, along with data protection regulations in the EU and U.S. states such as California
   
• Strong authentication holdouts are underestimating risks to their businesses and customers. Two-thirds of businesses that use only passwords to authenticate their employees do so because they believe passwords are “good enough” for the type of information they are protecting, despite cybercriminals’ continuing to target a wide variety of consumer and business information
   
• Not all strong authentication is created equal. According to Javelin, adopting strong authentication solutions that are based on standards and employ cryptographic security (like FIDO Authentication) can help organisations lower the cost of keeping up with regulation, customer expectations and increasingly sophisticated fraud schemes
   
• It’s time to sunset OTPs. With cyber criminals using social engineering, phone porting and malware to compromise OTP authenticators, Javelin recommends moving away from them and adopting cryptographically-backed strong authentication

The report includes case studies from Google, Tradelink and Visa, all of which are leveraging FIDO Authentication to provide stronger protection for customer and employee accounts.

“The increase in strong authentication adoption makes sense given that while data breaches, phishing threats and regulatory pressures have risen, the financial and user experience costs associated with implementing strong authentication have decreased,” said Al Pascual, senior vice president and research director, Javelin Strategy & Research. “What’s less encouraging is that we are finding that the holdouts believe passwords alone are sufficient security. These companies need to realise that even data they may think is low-risk can provide significant value to fraudsters and expose them to regulatory scrutiny. As such, they need to make plans to move to strong authentication now or they will find themselves an attractive target for cybercriminals.”

“It’s great to see that organisations are recognising that passwords, and even one-time-passcodes, do not provide sufficient protection against today’s threats,” said Brett McDowell, executive director, FIDO Alliance. “I hope this study helps to raise awareness of new cryptographically-backed authentication capabilities, compliant with industry standards from FIDO Alliance and W3C, now widely available in leading web and mobile app platforms. These capabilities enable applications to bind account credentials to the user’s physical device, so they cannot be phished by remote attackers. Platforms are packaging these security capabilities into more convenient experiences for users -- allowing them to use their finger, face or security key to login to all of their favorite websites and applications.”