So what will happen with authentication and passwords? Part 2 of the Javelin Strong Authentication Status Report
Recently, the research company Javelin Strategy & Research published the report The State of Strong Authentication 2019. Its creators collected information about what authentication methods are used in the corporate environment and user applications, and also made interesting conclusions about the future of strong authentication.
We already published the translation of the first part with conclusions of authors of the report on Habré . And now we present to your attention the second part - with data and graphs.
From translator
I will not completely copy the entire block of the same name from the first part, but I still duplicate one paragraph.
All figures and facts are presented without the slightest change, and if you do not agree with them, it is better to argue not with the translator, but with the authors of the report. But my comments (made up as citations, and marked in the text by the Italian ) are my value judgment and for each of them I will be happy to argue (as well as the quality of the translation).
User authentication
Since 2017, the use of strong authentication in user applications has grown rapidly, mainly due to the availability of cryptographic authentication methods on mobile devices, although only a slightly smaller percentage of companies use strong authentication for Internet applications.
In general, the percentage of companies using strong authentication in their business tripled from 5% in 2017 to 16% in 2018 (Figure 3).
The possibilities of using strong authentication for web applications are still limited ( due to the fact that only completely new versions of some browsers support interaction with cryptographic tokens, however, this problem is solved by installing additional software, such as Rutoken Plug-in), so many companies use alternative methods for online authentication, such as programs for mobile devices that generate one-time passwords.
Hardware cryptographic keys ( meaning FIDO standards only ), such as those offered by Google, Feitian, One Span, and Yubico, can be used for strong authentication without installing additional software on desktop computers and laptops ( because most browsers already support the WebAuthn standard from FIDO ), but only 3% of companies use this feature to login their users.
Comparison of cryptographic tokens (like Rutoken PKI EDS ) and secret keys working according to FIDO standards is not only beyond the scope of this report, but also my comments on it. If at all, briefly, then both types of tokens use similar algorithms and principles of operation. FIDO tokens are currently better supported by browser manufacturers, though the situation will change soon as more browsers support the Web USB API. But classic cryptographic tokens are protected by a PIN code, can sign electronic documents and be used for two-factor authentication in Windows (any version), Linux and Mac OS X, they have APIs for various programming languages that allow implementing 2FA and ES in desktop, mobile and Web applications , and tokens produced in Russia support Russian GOST algorithms. In any case, a cryptographic token, regardless of the standard by which it is created, is the most reliable and convenient authentication method.
Beyond Security: Other Benefits of Strong Authentication
Not surprisingly, the use of strong authentication is closely related to the importance of data stored by the business. The most legal and regulatory pressures are faced by companies that store confidential personal information (Personally Identifiable Information - PII), such as Social Security numbers or Personal Health Information (PHI). It is these companies that are the most aggressive adherents of strong authentication. The pressure on the business is exacerbated by the expectations of customers who want to know that organizations they trust their most sensitive data use reliable authentication methods. Organizations that handle sensitive PII or PHI are more than twice as likely to use strong authentication than organizations
Unfortunately, companies do not yet want to implement reliable authentication methods. Almost a third of business decision makers consider passwords to be the most effective authentication method, among all those listed in Figure 9, and 43% consider passwords to be the easiest authentication method.
This diagram proves to us that the business application developers are the same all over the world ... They do not see a profit in implementing advanced account access protection mechanisms and share the same misconceptions. And only the actions of regulators can make a difference.
We will not touch passwords. But what should you believe in to consider that security questions are safer than cryptographic tokens ?? The effectiveness of control questions, which are selected elementarily, was estimated at 15%, and not hacked tokens - at only 10. At least the movie “The Illusion of Deception” would be watched, although in an allegorical form, it is shown how easily the magicians lured all the necessary for the crook businessman the answers left him without money.
And one more fact that says a lot about the qualifications of those who are responsible for the security mechanisms in user applications. In their understanding, the process of entering a password is a simpler operation than authentication using a cryptographic token. Although, it would seem that it might be easier to connect the token to the USB port and enter a simple PIN code.
It is important to note that the implementation of strong authentication allows enterprises to no longer think about the authentication methods and rules of work necessary to block fraudulent schemes to meet the real needs of their customers.
While regulatory compliance is a prudent top priority for businesses that use strong authentication and those that don’t, authentication companies that already use strong authentication are much more likely to say that increasing customer loyalty is the most important indicator that they take into account when evaluating the authentication method. (18% vs 12%) (Figure 10).
Corporate Authentication
Since 2017, the implementation of strong authentication in enterprises has been growing, but a little more modest than for consumer applications. The share of enterprises using strong authentication increased from 7% in 2017 to 12% in 2018. Unlike user applications, in the corporate environment the use of non-password authentication methods is somewhat more common in web applications than on mobile devices. About half of enterprises report using only usernames and passwords to authenticate their users at the login, and one in five (22%) also relies exclusively on passwords for secondary authentication when accessing sensitive data (that is, the user first logs into the application using a simpler authentication method, and if he wants to learn access to critical data, he will perform another authentication procedure, this time usually using a more reliable method ).
You need to understand that the report does not take into account the use of cryptographic tokens for two-factor authentication in the operating systems Windows, Linux and Mac OS X. And this is currently the most widespread use of 2FA. (Alas, tokens created according to FIDO standards are able to implement 2FA only for Windows 10).
Moreover, if the implementation of 2FA in online and mobile applications requires a set of measures, including the completion of these applications, then for the implementation of 2FA in Windows you only need to configure PKI (for example, based on Microsoft Certification Server) and authentication policies in AD.
And since protection of the entrance to the working PC and domain is an important element of protecting corporate data, the implementation of two-factor authentication is becoming more and more.
The next two most common methods of user authentication when entering the system are one-time passwords provided through a separate application (13% of enterprises) and one-time passwords delivered via SMS (12%). Although the percentage of using both methods is very similar, OTP SMS is most often used to increase the level of authorization (in 24% of companies). (Figure 12).
The increase in the use of strong authentication in the enterprise can probably be explained by the increased availability of implementations of cryptographic authentication methods on enterprise identity management platforms (in other words, corporate SSO and IAM systems have learned how to use tokens).
For mobile authentication of employees and contractors, enterprises rely more on passwords than authentication in consumer applications. Just over half (53%) of enterprises use passwords to authenticate user access to company data through a mobile device (Figure 13).
In the case of mobile devices, one could believe in the great power of biometrics, if not for the many cases with fakes of prints, voices, faces, and even irises. A single search query will show that a reliable way to biometric authentication simply does not exist. Truly accurate sensors certainly exist, but they are very expensive and large in size - and they are not installed in smartphones.
Therefore, the only working 2FA method in mobile devices is the use of cryptographic tokens that connect to a smartphone via NFC, Bluetooth and USB Type-C interfaces.
Protecting the company's financial data is the main reason for investing in passwordless authentication (44%) with the fastest growth since 2017 (an increase of eight percentage points). The following is the protection of intellectual property (40%) and personnel (HR) data (39%). And it’s understandable why - not only is the value associated with these types of data widely recognized, but a relatively small number of employees also work with them. That is, the implementation costs are not so large, and only a few people need to learn how to work with a more complex authentication system. In contrast, the types of data and devices that most enterprise employees typically access are still protected exclusively with passwords. Employee documents, workstations, and corporate email portals are areas of greatest risk,
In general, corporate email is a very dangerous and “leaky” thing, the degree of potential danger of which is underestimated by most CIOs. Every day, employees receive dozens of emails, so why not even one phishing (that is, fraudulent) message among them. This letter will be issued in the style of company letters, so the employee will click on the link in this letter without fear. Well, then it could be anything, for example, loading a virus onto an attacked machine or draining passwords (including using social engineering, by entering a false authentication form created by an attacker).
To prevent such things from happening, emails must be signed. Then it will immediately be clear which letter was created by a legal employee, and which attacker. In Outlook / Exchange, for example, an electronic signature based on cryptographic tokens is turned on quite quickly and simply and can be used in conjunction with two-factor authentication in PCs and Windows domains.
Among those executives who rely solely on password authentication within the enterprise, two-thirds (66%) do so because they think that passwords provide sufficient security for the type of information that their company needs to protect (Figure 15).
But strong authentication methods are becoming more common. Largely due to the fact that their availability is increasing. More and more identity and access control (IAM), browsers and operating systems support authentication with cryptographic tokens.
Strong authentication also has another advantage. Since the password is no longer used (replaced with a simple PIN), there are no requests from employees asking to change the forgotten password. Which in turn reduces the burden on the IT department of the enterprise.
Summary and Conclusions
- Managers often do not have the necessary knowledge to evaluate the real effectiveness of various authentication options. They are used to trusting outdated security methods like passwords and security questions simply because “it used to work.”
- Users have this knowledge to an even lesser degree , for them the main thing is simplicity and convenience . So far, they have no incentive to choose more secure solutions .
- Custom application developers often have no reason to implement two-factor authentication instead of password authentication. Competition on the level of protection in custom applications missing .
- All responsibility for hacking is transferred to the user . He called the one-time password to the attacker - to blame . Your password was intercepted or spied - to blame . I did not require the developer to use reliable authentication methods in the product - it's to blame .
- The right regulator should first of all require companies to implement solutions that block data leaks (in particular two-factor authentication), and not punish for a data leak that has already occurred .
- Some software developers are trying to sell old and not particularly reliable solutions to consumers in beautiful packaging of an “innovative” product. For example, authentication, by binding to a specific smartphone or using biometrics. As you can see from the report, only a solution based on strong authentication, that is, cryptographic tokens, can be truly reliable .
- The same cryptographic token can be used for a number of tasks : for strong authentication in the enterprise operating system, in a corporate and user application, for electronic signing of financial transactions (important for banking applications), documents and email.