Cyber Attacks Concept

Adoption of ‘High-Assurance Strong Authentication’ Recommended for Businesses

A new report from Javelin Strategy & Research recommends businesses adopt readily available high-assurance strong authentication to bolster security in light of increasingly effective attacks against traditional authentication methods.

The research, which was sponsored by FIDO Alliance, suggests that businesses continue to be vulnerable to data breaches because they rely on passwords, and, if they opt to implement additional authentication factors, they choose outdated options like static questions and SMS one-time passwords (OTPs). The report identifies the weakest authentication factors—those based on knowledge, not possession—and reports they remain the most popular and common. Businesses are using passwords plus static questions (31 percent) or SMS OTPs (25 percent) as their additional factors for customer authentication online. This is true despite the fact that strong authentication is evolving and is readily available, according to Al Pascual, Javelin’s senior vice president and research director. “Many consumer devices are coming equipped with built-in capabilities that enable high-assurance strong authentication, reducing costs and complexity for all stakeholders,” he said in a press statement.

Currently, companies are more likely to offer strong authentication to their customers than to their employees, but the research shows that both are lagging in the adoption of high-assurance strong authentication. Fifty percent of businesses offer at least two factors when authenticating their customers but only 35 
percent of enterprises use two or more factors for authenticating their employees to data and systems. Between the two, use of high-assurance strong authentication is rare—only 5 percent of businesses offer the capability to customers or leverage it within the enterprise.

“So many of our commercial transactions today take place over the internet, and we’ve seen time and again that passwords, and even one-time-passcodes, do not provide sufficient protection against today’s threats,” said Brett McDowell, executive director, FIDO Alliance. Consequently, the report recommends companies strongly consider high-
assurance strong authentication because it is not susceptible to phishing, man-in-the-middle, or other attacks targeting 
credentials—which are known vulnerabilities with passwords, static questions, and OTPs.