Javelin Strategy & Research has recently released The State of Strong Authentication 2019 report. Its creators collected information about what authentication methods are used in the corporate environment and user applications, and also made interesting conclusions about the future of strong authentication.
Translation of the first part with the conclusions of the authors of the report, we . And now we present to your attention the second part - with data and graphs.
From the translator
I will not completely copy the entire block of the same name from the first part, but I will still duplicate one paragraph.
All figures and facts are given without the slightest change, and if you do not agree with them, then it is better to argue not with the translator, but with the authors of the report. And here are my comments (typed as quotes, and marked in the text italic) are my value judgments and for each of them I will be happy to argue (as well as for the quality of the translation).
User Authentication
Since 2017, the use of strong authentication in consumer applications has grown dramatically, mainly due to the availability of cryptographic authentication methods on mobile devices, although only a slightly smaller percentage of companies use strong authentication for Internet applications.
Overall, the percentage of companies using strong authentication in their business has tripled from 5% in 2017 to 16% in 2018 (Figure 3).
The ability to use strong authentication for web applications is still limited (due to the fact that only very new versions of some browsers support interaction with cryptographic tokens, however, this problem is solved by installing additional software, such as ), so many companies use alternative methods for online authentication, such as mobile device programs that generate one-time passwords.
Hardware cryptographic keys (here we mean only those that comply with FIDO standards) such as those offered by Google, Feitian, One Span, and Yubico can be used for strong authentication without installing additional software on desktops and laptops (because most browsers already support FIDO's WebAuthn standard), but only 3% of companies use this option to login their users.
Comparison of cryptographic tokens (like ) and secret keys working according to FIDO standards is not only beyond the scope of this report, but also my comments on it. In short, both types of tokens use similar algorithms and principles of operation. FIDO tokens are currently better supported by browser vendors, although this will change soon as more browsers support . On the other hand, classical cryptographic tokens are protected by a PIN code, can sign electronic documents and be used for two-factor authentication in Windows (any version), Linux and Mac OS X, have APIs for various programming languages that allow implementing 2FA and ES in desktop, mobile and Web applications. , and tokens produced in Russia support Russian GOST algorithms. In any case, a cryptographic token, regardless of what standard it was created according to, is the most reliable and convenient method of authentication.
Beyond Security: Other Benefits of Strong Authentication
Not surprisingly, the use of strong authentication is closely related to the importance of the data held by a business. Companies that hold Personally Identifiable Information (PII) such as social security numbers or Personal Health Information (PHI) are facing the most legal and regulatory pressure. It is these companies that are the most aggressive adherents of strong authentication. The pressure on businesses is heightened by the expectation of customers who want to know that the organizations they trust with their most sensitive data are using strong authentication methods. Organizations that process sensitive PII or PHI are more than twice as likely to use strong authentication than organizations that only store user contact information (Figure 7).
Unfortunately, companies are not yet willing to implement strong authentication methods. Nearly a third of business decision makers consider passwords to be the most effective authentication method among those listed in Figure 9, and 43% consider passwords to be the easiest authentication method.
This chart proves to us that business application developers all over the world are the same ... They do not see any profit in implementing advanced account access protection mechanisms and share the same misconceptions. And only the actions of regulators can change the situation.
Let's not touch passwords. But what do you need to believe in order to believe that security questions are more secure than cryptographic tokens? The effectiveness of control questions, which are elementarily selected, was estimated at 15%, and not hacked tokens - only 10%. At least the film “Illusion of Deception” would have been watched, although it was in an allegorical form, it shows how easily conjurers lured all the necessary things from a swindler businessman answers and left him without money.
And one more fact that says a lot about the qualifications of those who are responsible for security mechanisms in user applications. In their understanding, the process of entering a password is a simpler operation than authentication with a cryptographic token. Although, it would seem that it could be easier to connect a token to a USB port and enter a simple PIN code.
It is important to note that the implementation of strong authentication allows enterprises to no longer think about the authentication methods and rules of operation required to block fraudulent schemes to meet the real needs of their customers.
While compliance is a perfectly reasonable top priority for both businesses that use strong authentication and those that don't, companies that already use strong authentication are far more likely to say that increasing customer loyalty is the most important metric they consider when evaluating an authentication method. (18% versus 12%) (Figure 10).
Corporate Authentication
Since 2017, the adoption of strong authentication in enterprises has been growing, but slightly more modestly than for consumer applications. The share of enterprises using strong authentication increased from 7% in 2017 to 12% in 2018. In contrast to consumer applications, in a corporate environment, the use of non-password authentication methods is slightly more common in web applications than on mobile devices. About half of businesses report using only usernames and passwords to authenticate their users when logging in, with one in five (22%) also relying solely on passwords for secondary authentication when accessing sensitive data (that is, the user first logs into the application using a simpler authentication method, and if he wants to learn access to critical data, he will perform another authentication procedure, this time usually using a more reliable method).
You need to understand that the report does not take into account the use of cryptographic tokens for two-factor authentication in Windows, Linux and Mac OS X operating systems. And this is currently the most widespread use of 2FA. (Alas, tokens created according to FIDO standards can only implement 2FA for Windows 10).
Moreover, if a set of measures is required to implement 2FA in online and mobile applications, including the refinement of these applications, then to implement 2FA in Windows, you just need to configure PKI (for example, based on Microsoft Certification Server) and authentication policies in AD.
And since the protection of the entrance to the work PC and the domain is an important element of protecting corporate data, the implementation of two-factor authentication is becoming more and more.
The next two most common login authentication methods for users are one-time passwords delivered via a separate application (13% of enterprises) and one-time passwords delivered via SMS (12%). Despite the fact that the percentage of use of both methods is very similar, but OTP SMS is most often used to increase the level of authorization (in 24% of companies). (Figure 12).
The growth in the use of strong authentication in the enterprise can probably be explained by the increased availability of implementations of cryptographic authentication methods on enterprise identity management platforms (in other words, enterprise SSO and IAM systems have learned to use tokens).
For mobile authentication of employees and contractors, enterprises rely more on passwords than they do for authentication in consumer applications. Just over half (53%) of businesses use passwords to authenticate user access to company data via a mobile device (Figure 13).
In the case of mobile devices, one would believe in the great power of biometrics, if not for the many cases of fake fingerprints, voices, faces, and even irises. One search engine query will show that there is simply no reliable way of biometric authentication. Truly accurate sensors certainly exist, but they are very expensive and large in size - and are not installed in smartphones.
Therefore, the only working method of 2FA in mobile devices is the use of cryptographic tokens that connect to a smartphone via NFC, Bluetooth and USB Type-C interfaces.
Protecting company financial data is the top reason for investment in passwordless authentication (44%) with the fastest growth since 2017 (an increase of eight percentage points). This is followed by the protection of intellectual property (40%) and personnel (HR) data (39%). And it's understandable why - not only is the value associated with these types of data widely recognized, but a relatively small number of employees work with them. That is, the implementation costs are not so large, and only a few people need to be taught how to work with a more complex authentication system. In contrast, the types of data and devices commonly accessed by the majority of employees in an enterprise are still protected solely by passwords. Employee documents, workstations, and corporate email portals are areas of greatest risk, with only a quarter of enterprises securing these assets with passwordless authentication (Figure 14).
In general, corporate e-mail is a very dangerous and "leaky" thing, the degree of potential danger of which is underestimated by most CIOs. Employees receive dozens of emails every day, so why not include at least one phishing (that is, fraudulent) one among them. This letter will be designed in the style of company letters, so the employee will not be afraid to click on the link in this letter. Well, then anything can happen, for example, downloading a virus to the attacked machine or leaking passwords (including by social engineering, by entering a fake authentication form created by an attacker).
To prevent this kind of thing from happening, emails need to be signed. Then it will immediately be clear which letter was created by a legal employee, and which by an attacker. In Outlook / Exchange, for example, cryptographic token-based electronic signature is enabled quite quickly and simply and can be used in conjunction with two-factor authentication in PCs and Windows domains.
Among those executives who rely exclusively on password-based authentication within the enterprise, two-thirds (66%) do so because they believe that passwords provide sufficient security for the type of information their company needs to protect (Figure 15).
But strong authentication methods are becoming more common. Largely due to the fact that their availability is increasing. A growing number of identity and access management (IAM) systems, browsers, and operating systems support authentication with cryptographic tokens.
Strong authentication has one more advantage. Since the password is no longer used (replaced with a simple PIN), there are no requests from employees asking them to change a forgotten password. Which in turn reduces the burden on the IT department of the enterprise.
Results and conclusions
- Managers often do not have the necessary knowledge to assess real the effectiveness of various authentication options. They used to trust obsolete ways to protect yourself like passwords and security questions, simply because "it used to work."
- Users of this knowledge have less, for them the main thing is simplicity and convenience. Until they have incentives to choose more secure solutions.
- Developers of custom applications often no reasonto implement two-factor authentication instead of a password. Protection level competition in user applications no.
- All responsibility for hacking transferred to the user. Gave a one-time password to an attacker - to blame. Your password was intercepted or spied on - to blame. Did not require the developer to use strong authentication methods in the product - to blame.
- Correct regulator primarily should require companies to implement solutions that block data leaks (particularly two-factor authentication), rather than punishing already happened data leak.
- Some software developers are trying to sell to consumers old and not particularly reliable solutions in beautiful packaging "innovative" product. For example, authentication by linking to a specific smartphone or using biometrics. As can be seen from the report, truly reliable there can only be a solution based on strong authentication, i.e. cryptographic tokens.
- The same cryptographic token can be used for a range of tasks: for strong authentication in the operating system of the enterprise, in the corporate and user application, for electronic signature financial transactions (important for banking applications), documents and e-mail.
Source: habr.com