As data breaches and increasingly sophisticated phishing attacks continue to drive online account compromise and financial loss, organisations are finally stepping up and investing in stronger, phishing-resistant forms of authentication, Javelin Strategy & Research’s new “The State of Strong Authentication 2019” report has found.
The report, sponsored by the FIDO Alliance, analyses the state of customer and enterprise (employee) authentication amongst U.S. businesses and draws conclusions on the role strong authentication is playing in protecting accounts and securing access to valuable data and critical systems.
In the report, Javelin’s key findings and recommendations show:
The report includes case studies from Google, Tradelink and Visa, all of which are leveraging FIDO Authentication to provide stronger protection for customer and employee accounts.
“The increase in strong authentication adoption makes sense given that while data breaches, phishing threats and regulatory pressures have risen, the financial and user experience costs associated with implementing strong authentication have decreased,” said Al Pascual, senior vice president and research director, Javelin Strategy & Research. “What’s less encouraging is that we are finding that the holdouts believe passwords alone are sufficient security. These companies need to realise that even data they may think is low-risk can provide significant value to fraudsters and expose them to regulatory scrutiny. As such, they need to make plans to move to strong authentication now or they will find themselves an attractive target for cybercriminals.”
“It’s great to see that organisations are recognising that passwords, and even one-time-passcodes, do not provide sufficient protection against today’s threats,” said Brett McDowell, executive director, FIDO Alliance. “I hope this study helps to raise awareness of new cryptographically-backed authentication capabilities, compliant with industry standards from FIDO Alliance and W3C, now widely available in leading web and mobile app platforms. These capabilities enable applications to bind account credentials to the user’s physical device, so they cannot be phished by remote attackers. Platforms are packaging these security capabilities into more convenient experiences for users -- allowing them to use their finger, face or security key to login to all of their favorite websites and applications.”