Security Experts:

Companies Say Strong Authentication Important But Still Over-Rely on Passwords

The need for improved access control is proven by empirical observation -- it keeps failing. But improving access control beyond passwords suffers from a fundamental contradiction: while 98% of companies believe strong authentication is necessary for secure cloud adoption, 41% believe the username/password combination is one of the most effective access management tools, and 58% allow their employees to log on to corporate resources via social media credentials.

This combination -- an understanding that the status quo needs to be improved while claiming that the status quo is still good enough -- is harder to accept than it is to understand. It's all down to balancing security with convenience. Users, whether they are visiting a website to make purchases or working at a desk in the office, do not like being put through the hoops normally required by stronger authentication. This explains why companies cling to the old password-based authentication while nevertheless understanding that it is no longer good enough.

The figures come from a survey (PDF) conducted by Vanson Bourne and commissioned by Thales. Three hundred IT/security professionals were queried in the U.S. and Brazil for the Thales 2020 Access Management Index. Twenty-six respondents represented organizations with more than 5,000 employees, 151 with between 1,000 and 5,000 employees, 73 between 500 and 999, and 50 from organizations with between 250 and 499 employees.

Ninety-five percent of respondents have implemented multi-factor authentication. This figure is difficult to reconcile with the assertion of 28% who view social media credentials as one of the best tools for protecting cloud and web-based authentication. Social media log on is well-liked by users for its convenience, but it flies against one of the fundamental requirements for all security professionals: visibility. Companies have zero visibility into how or how well their users' credentials are being protected by the social media companies. Nor will they necessarily know whether those credentials have been leaked or stolen. In March 2019, Brian Krebs reported that "between 200 million and 600 million Facebook users may have had their account passwords stored in plain text and searchable by more than 20,000 Facebook employees."

The need for improved access control is now urgent with the expansion of business transformation, greater cloud adoption and growth in remote working. Ninety-seven percent of the respondents expect problems for their organization if every cloud application in use is not secured properly. There is, however, no general consensus emerging from this survey on how that should be achieved.

Surveys, of course, should always be viewed critically because of the potential for unseen bias in the questions, and questionable interpretation of the answers. An example here is the report's statement that "Two-factor and biometric authentication stand out as the best tools for protecting cloud and web-based applications." There is no explanation of the difference between two-factor and biometrics (biometric authentication is two-factor), nor is there an explanation of which biometric is being used -- nor even a statement on whether it is physical or behavioral biometrics. On interpretation, it isn't clear how respondents' answers to questions on usage and plans can justify the phrase, 'the best tools'.

The issue of behavioral biometric authentication is interesting -- it isn't mentioned once in the report. This may be because no relevant question was asked, or because nobody is using or even considering its use. It could be, of course, that behavioral biometrics is wrapped up in the terms 'passwordless' and/or 'contextual', which is often considered to be the holy grail of future secure user authentication. There are several current initiatives (here and here) aimed at using smartphones as a form of secure user token to eliminate passwords -- but smartphone-based access control is not mentioned in the report.

Similarly, the term 'passwordless' has little mention. It occurs in just two of the statistics, and once in the conclusion. The conclusion states, "Organizations that utilize cloud-based access and passwordless authentication to scale secure cloud adoption will be able to meet the

increased need for improved security, especially at a time when access control is critical for today's remote workforce." With no discussion about what 'passwordless' is or entails, there is a danger that this appears to be a preconceived opinion rather than an argument based on the survey results.

Concerns aside, however, the respondents display a strong user bias towards the use or adoption of single sign-on as a method of increasing security without decreasing user convenience. Even the new smartphone passwordless systems fall back on single sign-on providers to do the heavy lifting. Fifty-nine percent of the respondents said they have already "adopted Smart Single Sign-on technology" (the term 'Smart' is used to differentiate Thales' SSO from others, but it is not always clear whether this is done consistently throughout the survey report); while 86% are "planning to further expand their use of this technology in the next year."

This is enough for the report to recommend, "To offer the most frictionless experience possible without sacrificing security, organizations can leverage cloud SSO combined with contextual information and step-up authentication. This allows users to access all their cloud and web applications with a single identity, while IT only needs to enforce stronger access security in high-risk situations."

Related: Is Conditional Access the Right Approach to Authentication? It Depends

Related: Why User Names and Passwords Are Not Enough 

Related: The More Authentication Methods, the Merrier 

Related: Is Passive Authentication the Future for User Authentication? 

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.