Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

1/11/2017
09:11 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Survey Points to Slight Rise in Adaptive Authentication Over 2FA

SecureAuth study reports a majority of IT decision makers and security pros have issues with two-factor authentication.

Security technologies continue to evolve as threats expand and some companies are turning to adaptive authentication as users report issues with two-factor authentication, according to a new study.

The study by SecureAuth found that 74% of respondents who use two-factor authentication admit that they receive complaints about the technology – and nearly 10 percent of users simply “hate it.”

These findings are in sharp contrast to a 2016 survey from SecureAuth in which 99% said two-factor authentication was the best way to protect an identity and access.

Amplitude Research conducted this year’s survey. The research group polled more than 300 IT decision makers and cybersecurity pros on industry concerns and perspectives on two-factor authentication.

“Users are responding to anything extra they have to carry,” says Craig Lund, SecureAuth’s CEO. “It’s what we call ‘no-friction’ in the log-in process. The log-in has to be very straightforward and as few extra steps as possible.”

With adaptive authentication, Lund says, instead of deploying a software or hardware token, all the security takes place in the background. Any remediation or alerts take place as-needed.

“If a user logs in from New York,” he says, “but an hour later logs in from Irvine, Calif., that sets off a red flag.” 

The survey reports that while 56% of organizations still use two-factor authentication in many instances, 37% are using adaptive authentication and an additional 16 percent are preparing to implement or expand the technology in the next 12 months. When looking at large organizations of 2,500 or more employees, usage of adaptive authentication rises to 41%.

Therein lies the rub, says Jon Oltsik, a senior principal analyst at the Enterprise Strategy Group who covers IT security.

While Oltsik agrees that adaptive authentication can be beneficial, it’s expensive and often difficult to deploy.

“Adaptive authentication is an enterprise type of application,” Oltsik says. “Given that more than 40% of the sampling in this survey is of companies with fewer than 500 employees, I think a technology such as adaptive authentication would be low down on their priority list. Companies of that size won’t be leading-edge consumers.”

However, the SecureAuth survey does point out that while only 24% of small businesses were likely to deploy adaptive authentication, 73% of survey respondents from small companies say they were concerned about the potential misuse of stolen credentials and identities to access their organization’s assets and information.

“Remember that small companies often can only afford one security professional,” adds Oltsik. “So they have to decide what that person is going to spend their time on.” 

Related Content:

 

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
HardenStance
50%
50%
HardenStance,
User Rank: Strategist
1/18/2017 | 8:58:05 AM
User Behavior Analytics?
Interesting how the survey seems to point to a very short-lived "honeymoon period" for 2FA.

I'm interpreting adaptive authentication as another term for user behaviour analytics here. Is that right?

Looking for anomalies relative to a baseline of the specific devices the individual typically uses; the locations they typically access services from; the specific services they typically access. Even the particular way in which they make keystrokes on a keyboard, their gait, stance, posture or walk or heartbeat pattern, that kind of thing?

I know of a couple of companies using UBA with decent results.

Interested to hear more about real-world adoption rates.
RDP Bug Takes New Approach to Host Compromise
Kelly Sheridan, Staff Editor, Dark Reading,  7/18/2019
The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-10101
PUBLISHED: 2019-07-23
ServiceStack ServiceStack Framework 4.5.14 is affected by: Cross Site Scripting (XSS). The impact is: JavaScrpit is reflected in the server response, hence executed by the browser. The component is: the query used in the GET request is prone. The attack vector is: Since there is no server-side valid...
CVE-2019-10102
PUBLISHED: 2019-07-23
Voice Builder Prior to commit c145d4604df67e6fc625992412eef0bf9a85e26b and f6660e6d8f0d1d931359d591dbdec580fef36d36 is affected by: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'). The impact is: Remote code execution with the same privileges as the...
CVE-2019-10102
PUBLISHED: 2019-07-23
Jeesite 1.2.7 is affected by: SQL Injection. The impact is: sensitive information disclosure. The component is: updateProcInsIdByBusinessId() function in src/main/java/com.thinkgem.jeesite/modules/act/ActDao.java has SQL Injection vulnerability. The attack vector is: network connectivity,authenticat...
CVE-2018-18670
PUBLISHED: 2019-07-23
GNUBOARD5 5.3.1.9 has XSS that allows remote attackers to inject arbitrary web script or HTML via the "Extra Contents" parameter, aka the adm/config_form_update.php cf_1~10 parameter.
CVE-2018-18672
PUBLISHED: 2019-07-23
GNUBOARD5 5.3.1.9 has XSS that allows remote attackers to inject arbitrary web script or HTML via the "board head contents" parameter, aka the adm/board_form_update.php bo_content_head parameter.