LAS VEGAS -- Although corporate treasury and finance professionals are probably tired of hearing that passwords aren't sufficient to protect customer data, apparently businesses as a whole aren’t getting the message. Wednesday morning at Money 2020, attendees got a wake-up call in the form of a new survey.
Al Pascual, SVP research director and head of fraud and security for Javelin Strategy and Research, explained that his company and the FIDO Alliance surveyed 400 businesses on their authentication practices. Although he was adamant that the authentication practices and technologies are out there to keep customer data fully secure, he sees a significant gap between those protections and what companies are actually using.
More than half of the companies surveyed only use a password to protect company intellectual property and financial data. “Everyone uses a password, and barely anyone uses anything else,” Pascual said.
Pascual stressed that there is no weaker authentication than using a password. “Yet most of the information in the enterprise is secured by passwords, not multifactor authentication,” he said.
The crux of the problem, he explained, is that companies are only focused on what is easy and cheap. And in the authentication world, nothing easier than cheaper than a password. “‘Cheap and easy’ is protecting the enterprise. ‘Cheap and easy’ is keeping you and me from becoming victims,” he said.
However, one interesting and troubling finding in the survey is that there is a discrepancy between how companies authenticate their customers and how they authenticate their employees. Half of the businesses surveyed offer at least two factors for authenticating customers, but only 35 percent use two or more factors to secure access to that data by their employees.
Both groups are lagging in adopting high-assurance strong authentication, with only 5 percent of businesses offering the capability to customers or using it internally. The report notes that this offers a “clear opportunity” for cybercriminals, who are increasingly able to defeat even more advanced authentication solutions that are commonly referred to as strong.
Pascual challenged the notion of the term “strong authentication.” Obviously using one factor cannot be consider strong. “But can you call two of these factors strong, knowing that they can be compromised?” he asked.
He added that the term is being floated around frequently by various regulatory bodies that developing standards, such as the European Commission and PSD2. “What they’re basically talking about is some form of multifactor authentication. But any of those factors can be compromised. In traditional strong authentication, you are stacking one broken factor on top of another broken factor and calling it solved,” he said.
Javelin and FIDO favor authentication that combines a piece of public key infrastructure (PKI), such as a security key, with a piece of information that the user knows. “You put those together, and you're talking away the ability to spoof an element of that,” he said. “That's high assurance. That's strong authentication.”
Unfortunately, as the survey also revealed, companies are not doing well on this front either. They are typically relying on static questions or SMS one-time passwords as their additional factors, rather than security keys or biometrics, or some combination of the two types of authentication.
Concluded Pascual: “We have the tools to solve this problem but we are a very long way from calling the problem solved.”For further insights on how you can protect your systems, download AFP's latest Treasury in Practice Guide, underwritten by Kyriba.