The number of companies exclusively using usernames and passwords as the sole means of guaranteeing authentication is on the decline, according to a recent study from the Ponemon Institute.
Of the more than 1,800 IT professionals polled, 68 percent of the ones in North America said they need to ensure authentication goes beyond just usernames and passwords, which is why 46 percent said they will be further rolling out two-factor authentication in 2014.
The reason for this shift is that it has become easier than ever for hackers to break into sensitive accounts by conducting a brute force attack or simply guessing the password. According to SplashData, easy-to-guess wordstrings like “password” and “iloveyou” are still among the most common passwords used online.
While two-factor authentication is far better than just using a username and password for cloud security, it still has its faults. In particular, it turns out that many companies are not always validating every element involved in two-factor authentication, especially when text messaging is involved.
According to the Ponemon Institute study, 29 percent of North American IT experts polled said that 11 to 20 percent of one-time passwords are never sent to a user’s mobile device. Furthermore, 29 percent stated that they were not even aware that these kinds of delivery failure issues can occur.
“Enterprises and Internet companies know that the traditional username and password is simply not enough anymore,” said Larry Ponemon, chairman and founder of the Ponemon Institute. “However, companies deploying SMS-enabled two-factor authentication need to ensure that one-time passwords aren’t being sent to invalid mobile numbers.”
Enterprises increasingly understand the benefits of two-factor authentication and strong cloud security, but guaranteeing that assets remain safeguarded is far easier said than done.
However, when companies deploy a proven software authentication platform, their information security professionals sleep much easier at night knowing that access to critical data is protected by appropriate security and identity verification measures.