Nearly half of US organizations do not use multi-factor authentication to protect against compromised credentials, a survey by global IT security vendor IS Decisions finds today, with organizations citing ‘ infrastructure complexity’ (28%) and ‘time needed to manage and oversee’ (18%) as two of the biggest barriers to adoption.
The news comes off the back of criticism of multi-factor authentication by the National Institute of Standards and Technology, which now advises against using SMS as one of the factors to comply with FISMA regulation. The change was in response to the relative ease with which cybercriminals can now swap phone numbers to different phones.
Results in the survey also suggest that organisations are concerned by the fact that the technology impedes end users, with 47% agreeing that security measures in their organisation negatively impacts productivity.
While multi-factor authentication undoubtedly makes data safer than single-factor, there are other methods to protecting data that do not impede end users and or take a lot of time and money to set up and manage, the report suggests. Context-aware security rules can restrict access to administrator-approved devices, times of day, location, and even particular workstations. If an attacker then gets their hands on a legitimate login through phishing, they won’t be able to get access, which means that data remains safe, and companies don’t run the risk of non-compliance to industry regulation.
IS Decisions CEO François Amigorena said: “Most people in the security world seem to be talking about multi-factor authentication, but our research has found that most organizations have chosen not to use this technology because of the frustration it causes — impeding end users and disrupting existing IT infrastructure. And now there is the question of effectiveness, as we’ve seen in NIST’s recent announcement.”
The IS Decisions’s report also finds that US employees lose approximately 22 minutes every week because of complex IT security procedures, of which multi-factor authentication is a part. That time equates to 182 days of lost productivity a year for a firm of 250 employees, and 22 days a year for firms of 30 employees.
In response to the US’s need for a reliable alternative to multi-factor authentication, IS Decisions has compiled a ‘top tips’ guide on how to improve security without impeding the end user.
