The State of Multi-Factor Authentication (MFA)
On behalf of BIO-Key International, Osterman Research conducted an in-depth survey of mid-sized and large organizations on the state of MFA and related issues during May 2021. The survey uncovered how organizations are managing security and authentication, and attitudes toward various authentication methods including Zero Trust, passwordless approaches, and biometrics.
In this episode of IAM Pulse, we are going to discuss the implications of the survey findings and the role that MFA plays in any IAM solution to enable greater security and efficiency for controlling access to applications and resources.
Listen to the podcast:
You're listening to, IAM Pulse, a podcast, discussing all things, identity access management from defending against cyber-attacks and to enhancing our overall cyber security strategy is podcast is brought to you by BIO-key International and innovative provider of flexible, secure access management and biometric identity solutions. We're sitting down to talk about the impact of identity access management makes on you and your business.
So very quickly, as I mentioned, my name is , VP of Product at BIO-key. I've been with the company about a year now, but I have definitely been in cybersecurity and I am for over a decade. And just truly love the subject. As I mentioned who is BIO-key? Can you just real quick about us, we've been in the business over 27 years providing identity and access management, which of course includes multifactor authentication and our identity bound biometric solutions. We have over a thousand customers that trust us across all verticals around the globe. And our main platform BIO-key PortalGuard, which is an award-winning fully unified IDaaS platform. It really offers those flexible options for single sign on. As I mentioned, multifactor authentication, contextual, contextual authentication, and self-service password reset. Now the information you'll see today is based on a survey that Osterman research conducted for us.
They did an in-depth survey of mid to large size organizations back in May. We had about 169 individuals from organizations with at least 15 average of 1500 employees, anywhere from managers to C-level, to directors that are in the it and it security space. And it was focused on North America. So anytime that I referenced respondents or survey, that is the data that you are looking at now, let's get into it. So why is MFA so important if anyone has figured out multifactor authentication is talked about now in the news in a, I don't know about you, but my Uber drivers talk to me about it. I've talked to it with my mother. It seems like it has become the hot topic and mainly because the increasing cyber attacks are just starting to take over. And when everything's gone digital, especially with the pandemic, this has become even more prevalent.
And so for example, fraud, right takeover has increased by about 250% from just 2019 to 2020. And so why is multifactor so important? What's because for decades successful attacks against single factor methods have been working and the hackers are easily getting in. And we figured out very quickly that passwords just aren't enough. And so a lot of these common attacks you're seeing in the news a good example of that was colonial pipeline, right? That was a password protecting VPN account is really pointing out the need for multi-factor authentication solutions. Just some facts about passwords. They're failing us. I mean, we've known this, I think I've been to cybersecurity conferences now for years that we're talking about the death of the password and they're responsible for about 81% of breaches, right? Are leveraging something like a stolen or weak passwords, according to the Verizon data breach insights report of this year.
And so we forget them, we work around them, we create vulnerabilities. Honestly, one of the biggest issues is that people are involved. And so when it comes to using passwords versus multifactor, a lot of people start going back and forth between, right. But what can my users remember? But they don't love passwords, but at the same time, something new and introducing something new can be a challenge. And we'll talk about that in terms of the reservations between implementing MFA, but it is in essence, we know passwords are enough. I think here also one of my favorite recent common passwords list, you know, it's kind of sad to see that the top one is still 1, 2, 3, 4, 5, 6. First of all, terrible password policy. Second of all, it takes less than a second to crack it. So right there, these are the most common passwords we're not getting beyond these.
And it's just really more and more evident that we need to get beyond a single factor authentication. And so in short, we're saying, if you put in flexible, robust and properly manage multifactor authentication or what I'll call MFA throughout most of this presentation, it's going to significantly reduce the likelihood of breach and all the consequences that come with it, right? Not only just data and systems consequences, but brand and reputational damage along with costs. And so my MFA more accurately really is becoming a critical issue. And we need to make sure that it's something that even though it's been in use for many years, it's still not the norm for organizations. And so hopefully many of you listening in today are listening in so that you can start saying, okay, how do I start implementing this more effectively and getting this out to more of my accounts and protecting my organization.
So MFA has been a best practice for many years. And even though we say you should be requiring a hundred percent, that's definitely not the case. And you can see in the poll response about a third of you, some of you are using it a hundred percent of the time, which is excellent. So right now, based on the survey we saw about 70 of employees are required to use MFA and 40% of customer access, because remember those are users to accessing your system. So about 70% of employees, 40% of customers, that's still a relatively low use of MFA, right? If the best practice is a hundred percent of the time on a hundred percent of your accounts, we're still missing a significant amount of employees as well as customers. And that means the access to those critical applications and data sources are not as secure as it should be in any of those cases now, bad actors, right?
These guys out there that spend all of their days looking for these weak points, find those accounts and wreak habit on havoc on organizations. We're seeing that with ransomware, we're seeing that in terms of data, stealing malware or even staff to financial resources and intellectual property. And so looking at 2020 and 2021, right? If they've taught us anything, these types of attacks are definitely on the rise. Now, even though there's a relatively low use of multi-factor authentication, the good news it's increasing, right? That's why most of you are sitting on this call today. Most likely the survey found that medium median expenditure per employee for MFA is $33 in 2021. The good news is that over two thirds of organizations or roughly two thirds of organizations are planning to increase their investments in MFA over the next five years. So we are investing, we are getting it out there, but when it comes to a hundred percent of the time, we're just not quite there yet now.
So why isn't MFA implemented a hundred percent of the time, right? This is a question I ask myself very often being in the industry of I if it's such the obvious answer, then why doesn't everybody have it? And so it's really important to think about there are people involved. You know, that's really the core issue that I've seen when talking to organizations is that people are not good at change or, or doubt adopting different workflows. And so you can see here, the reason that the survey respondents said 47% are worried about lack of user adoption, right? So the other issues that stood out, things like concern about impact on privacy policies and regulation. What factors do you collect and are those going to meet compliance regulations? Also, it's too expensive. I hear this. So, so often is that some of the factors that are being chosen are expensive, right?
It depends on the factors such as a hardware token, that can be much more expensive than potentially a biometric, right? So things that are starting to come into play is what type of expense is incurred, especially if it's X dollars per user, per month. Those are considerations that you have to think of. And a lot of times when it comes down to it, the conversation about do we spend on MFA or do we forego it or just implement it exactly where we need it to save on cost? Oftentimes the implemented where we need it to save on cost is what wins out. And then oftentimes just not sure how or where to use it, depending on the industry, especially some organizations we talk to, they've been using passwords, they've been using passwords a long time, and that seems to work right until a breach happens or until that attack happens, it just seems like it's not going to happen to you. And so that's kind of the mentality that gets organizations in trouble and also in the headlines of the newspapers. The other thing I think that's not mentioned here, it didn't get called out is the lack of cybersecurity, talent, and resource, and so many organizations. And just in general, we have such a high, or excuse me, a big gap of cybersecurity, talent, and resources that there may not be the right people in the organization to help implement and manage MFA.
All right. So a quick, closer look at authentication methods and what the survey respondents thought. So we definitely saw a serious disconnect first and foremost. So between what it decision-makers perceive to be the most secure or highly secure MFA methods and what organizations have actually implemented. So for example, passwords, we're all in agreement, right? 26% believe they're highly secure. So there's a quarter of the people out there that regardless of the statistics still believe that they're highly secure, but on the other side, we're using them 85% of the time or 70% of the time for employee and customer access, right? Biometrics it's the opposite situation. We believe that they are highly secure. They are an absolute great way to prove is the person who they say they are. And yet they're not being used 27% and 13% for employee and customer access. And then finally hardware tokens, another great example, 61% believe they're highly secure, 34% and 12% usage. So there's disconnects in terms of what we perceive as highly secure, what we're implementing. And there's a variety of reasons that they, we aren't seeing organizations deploy more secure methods. They include perceived barriers to user adoption. As we talked about difficulties associated with integration across on-premise cloud work from home environments and then solutions that are sufficiently flexible to meet corporate needs and user needs, right? Finding a solution that offers all these options is often a challenge.
All right, so next category is going passwordless and biometrics. And so passwordless authentication. Like I said, doesn't require a password. A lot times people are seeing this used with the iPhone coming out with Apple's face ID and touch ID. That's been a very common implementation of device-based biometrics and using that for social media accounts or even my bank account now uses touch ID for my mobile phone. And so biometrics are becoming one of the most common methods for passwordless authentication. And that can include, of course the touch ID and face ID type methods that are device-based, but also identity bound biometrics as BIO-key provides, which we focus on things like fingerprint Palm print coming out with voice facial recognition, right? But biometrics is an excellent way that when you remove that password, you're adding in the strongest factor of authentication, which is really based on who the person is.
Now a large portion of the organizations are not planning to implement passwordless. So if you answered, you're not planning to implement it. That's basically on par with what we're seeing from our survey. It's a bit surprising to be honest, given the push that's out there in the market, maybe it's just a buzz word. Maybe it's something that, you know, vendors such as ourselves are trying to push into the market, but there hasn't been as much adoption. And so we're looking at only about 29% of organizations have implemented it for their employees and only 9% have done so for customers. And the good news is there are plans to do so. So 40% plan to do so for employees, 23% plan to do so for customers. The thing about password list. And I think the hesitation that I've seen is that it is a journey getting away from passwords. As I said, we've been talking about this for years. It's going to take time. It's going to take time to get off the systems of passwords, to go to something that doesn't require you to enter anything in, but you still feel that sense of trust. And also just changing systems, integration systems workflows, all of that change takes time. So passwordless, isn't something that happens overnight. But definitely happy to hear that at least a lot of organizations are starting to plan to implement this.
Now, looking at biometrics specifically among organizations that are considering to use biometrics as part of their authentication strategy, there's a variety of approaches. So 48% are only planning to put it in specific work groups, departments. I've seen it a lot for things like privileged access management 27%, which is excellent to hear across the entire organization and then 24, 20 4% plan to use it for only critical business applications. So again, saying, okay, we're going to leverage it just for the really critical data, the really critical applications or people that have keys to the kingdom, right? Those privileged access to users. And so that is something that's surprising, right? Biometrics are going to be much more popular for employee access then potentially customers by the statistics that we saw. So nearly four times as many organizations will be using those for employees as they will for customers.
But I think my question goes back is like, what's the hold up. If biometrics is the fastest, most secure and convenient authentication method. And if you remember the survey, we said that over 60% said it was highly secure method of authentication, then what is the hesitation? And so the lack of enthusiasm surrounding this may actually be a result of outdated perceptions and early generation biometric approaches that were relatively poor in comparison to today's. And so this is contradictory right to how it can be implemented today and often the false perception, what the false perceptions are compared to traditional authentication methods, biometrics can actually reduce risk and cost. And they're just as convenient, if not more convenient as mentioned before. Also interesting enough us people, consumers are okay using them. So according to a recent FICO study, the vast majority of consumers in north America are happy for their banks to use biometrics, to protect them. And actually it found that 70%, 76% of Americans would be happy to do this with over 40% even expecting biometric account logins, to be a part of the account opening process. You can also see vendors such as Amazon. They're bringing in Palm scanning pilots to do payment in whole foods, right? So we're getting more familiar, more comfortable with this, but what is the holdup, right? It's time to start thinking of biometrics as the fastest, most secure and convenient authentication method out there.
All right. Zero trust. So zero trust is exactly what the name implies. No user or resource is going to be automatically trusted based simply on its location or some other parameter. And instead the never trust always verify mantra means that each user resource access requests are actually presumed untrustworthy. And so then that proper vetting, proper authentication and authorization has to happen before access is granted. And so this has really changed right from the, I have a castle and moat mentality because now with remote working and honestly just with cloud-based access applications and the way we do business, there really is no perimeter. Right? Everybody talks about the perimeter being a completely outdated concept and security, and it really is true. So how do you establish any type of trust? And so we've gone all the way to a zero trust architecture that essentially says don't trust anything until you can it now, where are organizations when it comes to implementing zero trust? So asking all of you honestly, most are planning to do so. So we have about 33% that have implemented it. 59% are planning to do so in the near future. And only 8% are not planning to implement it at all. Now, the other thing I will say is, again, just like passwordless zero trust is a journey. It's not something that happens overnight and definitely has multiple phases and approaches to get there.
So what are some of those leading drivers for putting in zero trust? Why do businesses do this in the first place? Really it was about preventing data breaches as about 84% of these respondents noted. And this was extremely important or important reason for doing so we also saw 68% consider the ability to address new attack vectors and compliance requirements as important or extremely important for implementing zero trust. So if you think about all the concerns we have in security right now being victim to cyber attack, things like ransomware, it makes a ton of sense if that's the main driver for protecting your organization, [inaudible] now change is arising from that. So organizations, you do have to make several changes to the cybersecurity strategy you have in place in order to adopt and deploy zero trust. So here you can see 69% were planning to update or create a security policy that's absolutely going to have to be done and probably in a much more granular fashion than has been done in the past 58% plan to implement new technologies and solutions and an equal number, actually plan to replace various technologies and solutions.
So a lot of outdated or legacy, or even not that old I am systems are unable to support zero trust as well as other things like networking firewalls, et cetera. And then 54% plan to implement MFA. I talked about it being a journey. One of the first steps on that journey is to implement multifactor authentication a hundred percent of the time to a hundred percent of your account. Yes, interestingly zero trust will have comparatively little impact on it and security labor. So only 18% plan to hire additional head count and expertise. Now, this was surprising though, since the leading reason that organizations with no plans to implement zero trust won't do so was because 54% of them said they don't have time budget staff or resources to do so. So implementing zero trust with the deployment of those new technologies and processes, more implementation security policy updates and other items are going to require more staff and more resources.
So again, this is a conflicting situation, right? Even well, most of you are planning to implement zero trust. There isn't really a plan to increase head count. And like I said, there may actually be not so much that there's a lack of resources to do so, but also it's difficult to find those resources given the cyber security talent shortage that we're in. All right. So finding the right MFA solution. So we asked that same question to survey respondents, and they were asked what's missing from their current I am and therefore MFA solutions. And you can see here, just some of the things that they cited. So biometric capability, multiple MFA methods passwordless support provisioning governance, cloud-based deployments, right? We're still implementing these things on prem and SSO options, single sign on options and application integrations, right? So I am is more than just multifactor authentication. And so it has to have a lot of flexible options and support what I think of as kind of the three legs of the stool, which is multi-factor authentication, single sign on, and self-service password reset more over there, several challenges that organizations have had an implementing their IAM solutions that were noted. And these included user education and adoption, lack of in-house expertise, difficulty integrating their, I am solution with existing it infrastructure and a load of other problems.
Now, when it comes to whether current solutions are ready for the future, we also found that many organizations are not all that satisfied with their current. I am. So for example, 35% basically agreed or strongly agree that their employees and customers like using their current, I am. So just for reference, that means two thirds do not like using their current IAM solution, which is an issue, especially for user adoption. Only 38% said that their I am solution can support future security requirements and 44%. Their current IAM solution can protect their organization from cyber attack. So think about that. You have a solution in place that's meant to protect. You meant to give convenience to your users, keep them secure, keep their data secure and a very low percentage like using it. Don't think it's going to support them in the future and is not preventing cyber attacks. So major gap here in terms of what current IBM solutions are doing for organizations and what you really need from those solutions to have and to be successful. So if you're unsure, need more information BIO-key, we're always here and happy to help. But thank you so much for taking your time today and joining me. And we look forward to you on the next call.