Skip to main content

Authentication has become an essential part of the cybersecurity toolkit for the CISO. But in the new world of cloud applications and networks without perimeters, what is the role for Multi-Factor Authentication? We asked leading IT professionals for their view.

The inexorable rise of digital connectivity and the ubiquity of devices is producing ever-increasing volumes of sensitive and personal data. For organisations, keeping that data secure, without affecting the productivity that is being driven by the digital revolution, is one of the biggest challenges for the IT department.

This transformation in how we access data at work has been built on an undoing of the traditional – from the old network perimeter (and access via VPN) for a small number of users working at home. As this access extended to mobile and flexible workers, authentication became essential in helping to manage user security.

“It has been found that, on average, individuals have 26 different logins but only 5 different passwords”.
Experian

The Username-and-Password method as secure access was widely replaced with VPN connections, and yet, as the number of applications in which user access increased, it remained an essential part of the user experience, especially for on-premise applications. The assumption of local users being more secure meant that the inconvenience of authentication was rarely considered. To add, the move to the cloud has actually taken that assumption, rather than reverting to the best practice of an additional security layer.

So, is the cloud fully trusted? On top of this, how can a secure authentication model be translated to embrace the flexibility of cloud applications and the better user experience it offers? We reached out to hundreds of CIO, CISO and IT leaders to ask them about how authentication can bring the divide between security and productivity.

Securing someone else’s cloud

It cannot be forgotten that public clouds are often just that – public. Those applications which are well known and accessible to anyone with an internet connection and credentials are still intrinsically tied to email addresses. When a password is the only defence against stolen credentials and unfettered access, it’s time to re-evaluate the approach.

IDG Cloud Computing Results - 56% of CIOs were uncertain about their ability to enforce their security policies on a provider's site, while 45% were concerned about unauthorised access on what they deemed to be untrusted networks.

Usernames and Passwords have prevailed for a number of reasons, including convenience, speed of deployment, flexibility and cost. However, the biggest reason is perhaps user experience, as we all understand how this system works (no matter our own challenges in remembering long complex passwords that are unique to every site and application). Our technology ecosystem even drives this behaviour, not least browsers remembering passwords for us. The movement of traditionally consumer applications (such as Dropbox) into the corporate environment has also brought ease of use as a user expectation.

It’s also often the product of shadow IT and BYOD; as departments increasingly purchase applications and services outside of the IT department and rogue devices consequentially appear (such as the CEO’s iPhone), an all-encompassing approach to user identity management and security is very hard to apply.

Survey Results

Authentication Survey Question 1 - Do you currently use 2FA or Multi factor authentication within your organisation? 62% said yes, 38% said no.

Firstly, the use of Two Factor Authentication (or 2FA/MFA) within organisations is high at 62%, showing the majority of respondents deploying the technology within the organisation. The increased focus on the user, and their role at the forefront of cybersecurity defences, highlights the importance of validating their identity, while the user experience has improved alongside general familiarity with the technology (especially with 2FA used for personal banking or to validate cloud accounts with major email/social platforms).

However, over a third of respondents (38%) don’t use 2FA, showing that many organisations have yet to be convinced.

Authentication Survey Question 2 - If yes to Question 1, what do you use 2FA/Multi Factor Authenitcation for? 62% said VPN, 40% said Cloud Application, 23% said Thin Client Access, 20% said Local Workstation and 20% said Single Sign On (SSO).

For those organisations using authentication, the highest use case by far was for VPN at 67% or remote access for mobile workers. This has traditionally been the main driver for authentication, focused around securing the traditional network perimeter. The second most popular use was for cloud applications, which indicates the recognition of their growth in helping drive digital transformation projects, flexible performance, and a move to more dynamic IT enablement and away from the complexity of on-premise infrastructure.

Importantly, even when deploying the hugely popular Office 365 suite, it’s not just about using applications like Outlook or Word; the most popular usage was OneDrive for file storage, making security even more important to validate identity. Less popular uses were thin clients, workstations and SSO. VDI remains a minority technology for many organisations, while SSO brings great potential around user experience, but is often viewed as a lower priority when budgets are defined.

Significantly, the results also show that organisations using authentication deploy it for multiple use cases – not just one. Being able to leverage technology in more than a single application can significantly increase ROI.

Authentication Survey Question 3 - Do you see your use of 2FA or Multi factor authentication increasing to emcompass more applications or use cases? 88% said yes, 12% said no.

For all survey participants, a huge majority see their use of 2FA increasing to more applications or other use cases. This is covered by existing 2FA deployments and net new ones, which follow general market trends and the increase of drive towards improving security around user identity.

Authentication Survey Question 4 - What is your standard method or methods of authentication? 75% said mobile token, 27% said physical token, 27% said screen challenge with 1% saying other.

It is clear that mobile tokens are the most commonly used form of authentication (at 75%), and interestingly, the data suggests that almost all organisations don’t use multiple methods. Hardware tokens – the longest-running offering – have declined to just 27%, with the convenience of mobile tokens clearly being a key driver in helping meet user demands. Screen challenges are the most recent offering and are already equalling physical tokens.

Authentication Survey Question 5 - Do you offer users a choice of authentication (based on preference)? 58% said no, 42% said yes.

Although most end-users do not offer a choice of authentication based on preference (58%) , there is a significant number of those who do (42%), highlighting how important it is to show that providing a positive user experience is key in driving adoption and reducing the soft costs of authentication deployment (such as support calls).

Authentication Survey Question 6 - Do you offer users a choice of authentication (based on scenario, for example location, device being used or time zone)? 71% said no, 29% said yes.

While offering users a choice is almost split 50/50, doing so in a dynamic way based on the specific use case scenario (such as the device being used, or what their location is) is significantly reduced. Just over a quarter (29%) offer it, meaning that for the rest, users are faced with having additional authentication requirements regardless.

The user experience is clearly an important element to many organisations, understanding that their staff are the front line of cybersecurity. They’re also aware that ensuring buy-in with any technology is dependent on delivering a simple, engaging user experience. This increases usage and reduces the chance of staff working around the problem, or increasing costs through additional support calls when things go wrong. Cost is the second most popular factor, recognising the limitations of budgets and the need for a cost-effective solution.

Having the option of a range of tokens is the second most popular requirement at 62%, yet only 42% currently have it. This suggests that there is a strong market demand for products that offer a more flexible approach. Ease of management and deployment options quickly follow, the latter again highlighting that the legacy approach of on ­premise (or a secondary option of public cloud) may not be sufficient for many.

Authentication Survey Question 8 - How is your current solution deployed? 46% said on premise, 23% said public cloud, 12% said private cloud and 19% having a hybrid approach.

The majority of respondents still have on-premise authentication solutions, which has been the preferred method for most legacy technologies. The newer arrivals in the market have often been deployed on public cloud (such as Amazon Web Services or Microsoft Azure), offering the quickest route to market. However, many organisations may have reservations, due to questions around data security or location (to ensure compliance with legislation such as GDPR). Private Cloud is the least common, but this may be due to few companies providing it as an option.

Authentication Survey Question 9 - Over the next 3 years, how likely is it that your business will increase its use of cloud applications that users regularly access? 57% expected use to significantly increase, 29.7% a little, 10.9% said usage would stay the same with no respondents expecting cloud app usage to reduce.

Overwhelmingly, organisations are looking to increase their level of cloud usage, and nearly two-thirds see that rise as being significant. Yet only 40% of respondents currently use authentication for cloud apps, and with the likes of Office365, Salesforce and Dropbox all containing copious amounts of customer and company data (both in terms of breadth and depth), many will surely be looking for additional layers of security to protect and secure access to it.

Authentication Survey Question 10 - How important is providing a Single Sign On (SSO) experience to your users moving forward? 68.8% thought SSO was very important, 25.4% considered it a little important, 4.3% not very important and 1.4% not at all important.

Similar to the findings that many organisations use cloud applications but don’t secure access with authentication, nearly 95% of respondents see Single sign-on(SSO) as an essential part of their IT strategy moving forward, and yet only 20% currently use it as part of their authentication deployment.

Authentication Survey Question 11 - If you did deploy SSO, what would be the biggest reason? 51% said better user experience, 37% said improved security, 8.8% to meet compliance requirements and 2.9% a reduction in password reset requests.

As a follow-up, we then asked what this strategy towards SSO would be driven by. Again, the user experience was key for over half the respondents. This was closely followed by better security, with compliance and a reduction in internal IT costs (such as reducing password reset requests) much lower down.

Authentication Survey Question 12 - How important is user security & management as part of your cybersecurity strategy? 90% said very important, 10% a little important with no respondents believing it was not very or not at all important.

Initially, the overwhelming response to the importance of user security management as part of their cybersecurity strategy was that it plays a hugely important role. The challenge, of course, is how it can be effectively implemented.

Conclusion

Authentication as a technology has been part of many organisations’ cybersecurity strategies for many years. Traditionally relegated to the role of securing access to a VPN for remote workers, the explosion in cloud applications in the last 5 years has seen a growth in enterprises looking to embrace MFA as part of a wider move to user identity management. In the meantime, online services for consumers have made the technology more familiar for many, and the user experience in this field has helped drive the corporate adoption of mobile tokens and interactive challenges.

At the heart of the survey’s findings is the challenge of balancing user experience with security. Clearly, both ride at the top of priority lists, yet throughout, many organisations are looking towards a cloud-first approach and user-­centric solutions whilst relying on legacy technology. The ‘digital transformation’ approach that is often at the heart of many IT strategies – currently being championed by CIOs – is designed to embrace the opportunities and unleash employee potential through IT. However, if access to these applications remains a challenge to manage and secure, then their success could ultimately be restricted.

The threat landscape for the modern CIO is forever changing, and the introduction of GDPR adds a significant legislative burden on protecting the data that is now increasingly spread across a local network, mobile devices and cloud applications. Ensuring that data is secured may be the primary focus, but providing access is the next step, and its level of security will define the success of the cybersecurity strategy. No one will want to compromise a positive user experience, but security demands will mean that a different approach is required.

This balance of user experience and security is central to risk-based authentication (RBA), which allows for the adaptation to the circumstances of the user’s access to a service through a set of policy rules. Therefore, every deployment will be unique to specific needs and risks. This results in a collaborative relationship between job role and IT functions, thus providing an essential educational tool to users which assists them in balancing security with productivity, as well as enforcing necessary controls.

Those rules could be in relation to the date/time, device, physical location, what service is being accessed and who the user is. Combining risk profiling with policy-based controls and a range of authentication methods (including PIN, SMS, image and mobile app) provides the most effective security possible that directly relates to the sensitivity and confidential nature of the data while providing a seamless experience for the user. It can even encompass compliance requirements (by data type, source or gee-location), ensuring that business processes are perfectly in-sync with the practical implementation of IT security policy, or portals that give the user the ability to change their PIN, password or self-provision the app, saving valuable IT staff time.

This approach enables organisations to embrace the flexibility of cloud applications, the productivity of a mobile workforce, and the productivity of technologies such as SSO and RBA while ensuring that an enterprise security policy is in place and an authentication solution can provide the first line of defence against the biggest threats.

Talk to us to get more tips on how to secure your network and confidential data against online threats.

  • This field is for validation purposes and should be left unchanged.