Businesses are continuing to rely on passwords, and those that are implementing additional authentication factors are choosing outdated options like static questions and SMS codes that leave them vulnerable to data breaches.
That’s the word from Javelin Strategy & Research’s 2017 State of Authentication Report, based on two online surveys of 200 businesses with customer portals and 200 with employee portals. It found that half of all respondents still use only passwords to protect company IP and financial data. For the half that do offer at least two factors when authenticating their customers, they tend to use the weakest options: Static questions (31%) or SMS one-time passcodes (25%) are the most prevalent additional factors for customer authentication online.
Meanwhile, only 35% of enterprises use two or more factors for authenticating their employees to data and systems. Amongst both, high-assurance strong authentication (i.e., factors predicated on possession such as a security key or on-device biometrics) is rare — only 5% of businesses offer the capability to customers or leverage these within the enterprise. The most common authentication method after passwords is static questions (26%).