THE STATE OF MULTI-FACTOR AUTHENTICATION (MFA)

Keeping up with change and new technological developments is one of the basic challenges of cyber-security. The hype and excitement around IoT, Cloud and Big data developments is shared by everybody, including those seeking to exploit vulnerabilities. A staggering 60% of the respondents to Thales’s 2019 Data Threat Report have experienced a breach until now, out of which 30% were breached in the last year alone. Even though 86% of respondents are aware of their vulnerability to cyber security threats, only 50% of them expect an increase in their security budget, a figure considerably smaller than the previous year’s count of 79%. Ironically, implementing adequate breach prevention measures is a low priority, with responding to a breach that took place in the past being one of the least prioritized security initiatives. 66% of organisations feel that they have strong security in place for new technological deployments. In fact, as data environments become more complex and companies move towards cloud deployments, organizations may be tempted to leave security to cloud providers, even though it should be a shared responsibility, regardless if we’re talking about SaaS, IaaS or PaaS. The top 9 environments used to store sensitive or regulated data, according to the 2019 Thales Data Threat Reportare: Over 40% of respondents use all available types of cloud environments: SaaS, IaaS and PaaS. IaaS deployments take the second place in the top, followed by PaaS and Mobile Applications. Despite these risky new technological deployments, companies are somewhat aware of the dangers they bring, as they enable new types of attacks as well. Data breaches can cost companies millions of dollars, as their cost is not only quantifiable in terms of immediate costs, but also loss of reputation and customer confidence. While they are aware of the risk of data breaches, businesses might not always admit their key vulnerability: passwords. Employee use of weak passwords, combined with password sharing, reuse and remote working create a whole lot of attack opportunities. For the 5th year in a row, “123456” is most used password, with “password” coming in at second place. Considering the high level of risk, companies need to be turning their attention towards securing this key vulnerability.

The age of Multi-factor

A stronger Authentication/ Identification mechanism is among the most preferred methods of increasing the security of new technologies. When it comes to adopting data security technologies, about half of security professionals support technologies such as Encryption, Multi-factor Authentication and Hardware Security Modules.

Top adopted security controls by implementation status:

Adding a second factor to the authentication process has made it possible for companies to secure critical information and increase their chances of meeting security goals. Multi Factor Authentication is one of the data security developments that have been quietly waiting for their turn in the spotlight. But even though MFA’s time has finally come, making its way through a world filled with passwords is still a challenge.

Challenges and barriers to adoption of MFA

Generally, even though companies are aware of their flawed data security strategy and the increasing threats, there are often barriers that prevent them from adopting new security tools. Businesses are faced with strategic decisions all the time, and data security is nothing less than that.
Top barriers to adoption of data security in companies:

The most prominent barrier to adopting new data security solutions is complexity, as 40% of companies have chosen it as the top obstacle. The second runner up, with more than 35% of the answers, is the concern about impacts on performance and business process. A lack of budget to adoption of increased data security is the third impediment on businesses’ minds, with ~33% of answers.

Multi-factor authentication faces the same obstacles and reluctance as any new security development, despite its obvious superiority to classical authentication mechanisms, and inclusion in recent data Regulations, such as DFARS (Defence Acquisition Regulation Systems).

The top 5 barriers to the implementation of Multi-factor authentication are:

Implementation Costs: Even though newer MFA solutions are less expensive than earlier generations of solutions, businesses still fear that the cost implementing new technology will exceed their budgets.
User and customer resistance: People are generally resistant to change, so users and customers make no exception. It is important that they are educated by the company with respect to the importance of implementing MFA and the advantages it will bring for them.
Implementation resistance: Implementing multi-factor authentication is often just another infrastructure improvement on the list, and may not be regarded as a priority. Companies don’t always realize they have a security flaw and don’t see the need for improvement as long as it’s not broken. Another situation is that they are informed about MFA, but have heard unfortunate stories in which it was evaded.
Perceived unimportant data: Many businesses, especially SMEs, don’t think of their data as being of interest for hackers, especially if it is publicly available. Therefore, they consider passwords as being sufficient for protecting basic tools, such as employee e-mails.
Bothersome user experience: Having a seamless user experience is a top priority for any solution, and multi-factor authentication makes no exception. The implementation of a second step in the authentication process could be perceived by users as an unnecessary burden, despite its purpose of protecting their data.

Market drivers

Multi-factor authentication’s road to widespread adoption may be a rocky one, but there definitely is hope. As reports show, the Multi-factor authentication market is increasing, and is expected to spread across all industries, due to security concerns as well as its role in legislation compliance needs.

Multi-factor Authentication Market (2013–2020):

The top 5 market drivers for implementation of Multi-factor authentication are:

Compliance: Compliance is the primary reason why companies decide to dismiss password-based authentication systems. In order to gain compliance with cyber-security regulations, many businesses have no choice but to adopt MFA.
Development of mobile technologies: As multi-factor authentication requires at least 2 forms of identity, the widespread use of mobile devices makes it possible for MFA to reach more users, hence improving the overall authentication experience.
Increase in threats complexity: Even though no technology is 100% bullet-proof, the implementation of multi-factor authentication can drastically raise security ‘walls’ in the face of attackers, making the business less ‘attractive’ to hackers.
Increase in value of data: Businesses, especially large enterprises are aware of the increase in value and sensitivity of the data they hold, which is a strong reason for implementing multi-factor authentication.
Declining technology costs: Cloud-based authentication solutions are becoming popular among companies, and they often offer a pay-per-use subscription model which is cost efficient, scalable and requires minimal maintenance costs.

Companies come to realise that they are responsible for the data they hold and that it is vicious for them to keep using the same security strategy. Their business’ boundaries with respect to data storage has become a blurry area, so it is impossible to know for sure where all data lies, and how protected it is.

The adoption of multi-factor authentication depends greatly on companies’ attitude towards risk and security, as well as their status in gaining regulatory compliance.

Any new technology faces barriers to implementation, but also benefits from market drivers who will, in the end, decide its fate.

April 5, 2019

Raghul Chandrasekar

To help build a company along with passionate and driven people is one of the most satisfying things and I got the opportunity to do that at Trevonix.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.