The SecureAuth Corporation survey also found that stolen credentials are at the core of a startling number of breaches. According to the 2016 Verizon Data Breach Investigations Report, 63 percent of the attacks it studied leveraged weak, default or stolen credentials at some point in the attack, indicating that organizations must implement stronger forms of authentication to hinder the rising tide of credential abuse.
The survey found that organizations on average are only protecting 56 percent of their assets with multi-factor techniques. When asked why they had not yet made improvements to their authentication strategy, the respondents cited resistance from company executives and disruption to users' daily routine as the top hindrances—tied at 42 percent. Other reasons for not adopting an improved authentication strategy include:
• Lack of resources to support maintenance - 40 percent.
• Steep employee learning curve - 30 percent.
• Fear the improvements wouldn't work - 26 percent.
Shockingly revealed in the survey, was nearly all (99 percent) of respondents agree two-factor authentication is the best way to protect an identity and its access. However, recent news has shown that many traditional two-factor authentication methods, such as SMS-based one-time passwords, are being circumvented by attackers in well-crafted phishing attacks. Illustrating this inherent risk, the National Institute of Standards and Technology (NIST) recently announced a proposal to no longer recommend two-factor authentication using SMS delivered one-time passcodes as an out-of-band authentication method. Indeed, basic two-factor authentication alone is no longer enough—and it's time for companies to adapt.
Furthermore, the majority (73 percent) of respondents cited security questions or knowledge-based authentication (KBA) as the most essential measure for a company to authenticate its users securely. However, attackers often compromise these security questions and answers, greatly increasing an individual's exposure to cybercriminal attacks. Responses to some security questions can also be gleaned from social media sites, social engineering attacks and even a cybercriminal's educated guess.
Encouragingly, other measures deemed essential by ITDMs for their organization's authentication strategy include: device recognition (59 percent); a biometric, such as fingerprint, facial or iris scans (55 percent); one-time passcodes (49 percent); and geo-fencing, geo-location or geo-velocity capabilities (34 percent).