banner logo

Customer Authentication Practices 2019

Companies Move "Beyond the Password"
to Strong Authentication

We're at an inflection point where it's beginning to look like passwords will be a thing of the past. Although IT and security professionals have known for years that passwords leave users vulnerable to phishing and other cyber-attacks, they've been slow to adopt any of the viable alternatives developed over the last decade. But now, it appears that movement is speeding up, and broad adoption of strong authentication technology may be on the horizon.

survey banner image

Companies Move "Beyond the Password"
to Strong Authentication

We're at an inflection point where it's beginning to look like passwords will be a thing of the past. Although IT and security professionals have known for years that passwords leave users vulnerable to phishing and other cyber-attacks, they've been slow to adopt any of the viable alternatives developed over the last decade. But now, it appears that movement is speeding up, and broad adoption of strong authentication technology may be on the horizon.

IT and security leaders have the facts: data breaches continue to increase and passwords are a critical weakness. They have the tools: mainstream biometric technologies, smartphones with built-in biometric scanners, and strong authentication standards developed by FIDO and W3C and adopted by leaders like Google and Microsoft.

What will be companies' next moves? Will they go passwordless? If so, what technology will they adopt? And what is still hindering mainstream adoption of biometrics? We asked leading IT and security professionals to find out...

Methodology

Strong authentication expert ThumbSignIn, market intelligence firm One World Identity (OWI) and Identity and Access Management (IAM) provider Gluu, partnered to conduct an exclusive survey of top IT and security participants, including C-level executives and VPs from various industries, such as finance, IT, education, and others. The surveyed participants provided insights based on their companies' current and planned authentication practices to determine adoption trends in customer authentication, including 2FA and biometrics.

Key Findings

Respondents are more interested in biometrics for user experience (100%) than they are for security purposes (75%)

Password+2FA (36%) is on its way to overtake password-only (40%) for website authentication

In the next few years, passwordless biometrics (21%) will be the second fastest growing authentication method behind 2FA (29%)

76% think complexity of implementation is a top-of-mind issue when implementing biometrics or 2FA

Facial recognition is by far the most widely considered type of biometric authentication

64% of respondents feel FIDO is necessary or a good-to-have standard

More than 60% of the companies surveyed are already using strong authentication and 29% are looking to implement or expand their use of 2FA

The next touchpoints that are a focus for better security are workflow authentication (68%) and call centers (65%)

Companies still rely heavily on passwords

Passwords continue to be widely used for authentication. 40% of websites and 47% of apps still rely on passwords as their only form of authentication.

However, although passwords are still the primary means of authentication for both websites and mobile apps, more companies are choosing to add a second method to strengthen password authentication -- for example, two-factor authentication (2FA) for websites and biometrics for mobile apps. As of now, very few companies have gone passwordless.

./img/group-44.svg ./img/path-10.svg
These responses reflect how difficult it can be for companies to amend or replace status quo authentication processes, even when more secure multi-factor and biometric authentication tools are available on the market. Forty percent of web services are still exclusively using passwords, and, as the next chart indicates, nearly three in 10 respondents don't yet have clarity on the best way to proceed, despite the existential security and privacy threat that password-based authentication architectures pose.

Companies still rely heavily on passwords

Passwords continue to be widely used for authentication. 40% of websites and 47% of apps still rely on passwords as their only form of authentication.

However, although passwords are still the primary means of authentication for both websites and mobile apps, more companies are choosing to add a second method to strengthen password authentication -- for example, two-factor authentication (2FA) for websites and biometrics for mobile apps. As of now, very few companies have gone passwordless.

These responses reflect how difficult it can be for companies to amend or replace status quo authentication processes, even when more secure multi-factor and biometric authentication tools are available on the market. Forty percent of web services are still exclusively using passwords, and, as the next chart indicates, nearly three in 10 respondents don't yet have clarity on the best way to proceed, despite the existential security and privacy threat that password-based authentication architectures pose.
patch
brand

62% of companies are planning to move to strong authentication methods in the short term

Overall, the majority of companies are planning to move towards strong authentication methods, with 29% of respondents planning to implement/expand 2FA, 21% planning to implement/expand biometrics, and 12% planning to change to a more secure method of 2FA. Only 10% of companies are happy with their current authentication practices. Interestingly, although the majority of respondents say they are planning to upgrade their authentication, some uncertainty remains, with 28% still determining the "correct" way forward.

What companies have planned in the short-term

img1
29%

Implement/expand 2FA

img2
28%

Determining the "correct" way forward

img3
21%

Implement/expand biometrics

img4
12%

Move from SMS/OTP to a more secure 2FA

img5
10%

Happy with current setup

./img/group-44.svg ./img/path-10.svg
Not all 2FA is created equal, as indicated by the 12% of respondents here who are considering a move from SMS-based two-factor authentication to one that is less vulnerable to growing attack vectors like SIM swaps. For those customers that leverage SMS-based 2FA for access to online services, it's critical for them to update their cell phone account passwords as well.
Not all 2FA is created equal, as indicated by the 12% of respondents here who are considering a move from SMS-based two-factor authentication to one that is less vulnerable to growing attack vectors like SIM swaps. For those customers that leverage SMS-based 2FA for access to online services, it's critical for them to update their cell phone account passwords as well.
./img/path-10.svg
./img/group-44.svg

Companies are switching to new authentication methods to have better security preparedness, improve UX, meet compliance mandates and follow industry best practices

83% of respondents say the need for better security preparedness is motivating them to implement 2FA, while 78% are driven by the need to meet industry best practices. All of the companies considering biometrics indicate that improving user experience is the primary driver.

./img/group-44.svg ./img/path-10.svg
The 39% of respondents whose organizations are switching to multi-factor authentication because of a compliance mandate is a number we expect to grow in the coming years. As part of the EU's Revised Payment Services Directive (PSD2), for example, many companies are now required to implement Strong Customer Authentication for digital transactions, making 2FA a legal requirement. We anticipate increasing regulatory attention to customer-facing privacy and security in the short term.

Companies are switching to new authentication methods to have better security preparedness, improve UX, meet compliance mandates and follow industry best practices

83% of respondents say the need for better security preparedness is motivating them to implement 2FA, while 78% are driven by the need to meet industry best practices. All of the companies considering biometrics indicate that improving user experience is the primary driver.

The 39% of respondents whose organizations are switching to multi-factor authentication because of a compliance mandate is a number we expect to grow in the coming years. As part of the EU's Revised Payment Services Directive (PSD2), for example, many companies are now required to implement Strong Customer Authentication for digital transactions, making 2FA a legal requirement. We anticipate increasing regulatory attention to customer-facing privacy and security in the short term.
patch
brand

Perceived barriers to switching to strong authentication include implementation challenges and the potential for customer confusion and increased friction

The top reasons respondents cite for not upgrading authentication processes are anticipated challenges and complexities of implementing 2FA or biometrics, as well as possible negative effects to customer experience, such as customer confusion or user friction (26%).

./img/group-44.svg ./img/path-10.svg
These results reflect a gap between the perception and reality of implementing multi-factor authentication methods. Of those companies already moving to stronger authentication processes, most report that improved user experience is a primary driver. For those who have avoided 2FA deployment, fear of poorer user experience is a primary barrier. While it's true that user experience demands may vary across markets and industries, that's a fundamental contradiction. Today's digital-first consumers are, increasingly, more aware of security hygiene and demand stronger authentication -- it's time for companies to keep up with that evolution.

Perceived barriers to switching to strong authentication include implementation challenges and the potential for customer confusion and increased friction

The top reasons respondents cite for not upgrading authentication processes are anticipated challenges and complexities of implementing 2FA or biometrics, as well as possible negative effects to customer experience, such as customer confusion or user friction (26%).

These results reflect a gap between the perception and reality of implementing multi-factor authentication methods. Of those companies already moving to stronger authentication processes, most report that improved user experience is a primary driver. For those who have avoided 2FA deployment, fear of poorer user experience is a primary barrier. While it's true that user experience demands may vary across markets and industries, that's a fundamental contradiction. Today's digital-first consumers are, increasingly, more aware of security hygiene and demand stronger authentication -- it's time for companies to keep up with that evolution.
patch
brand

The majority of companies are in the process of researching or implementing new authentication solutions

Improved authentication is a current focus for most companies, with 36% of respondents actively researching new solutions and 24% currently implementing strong authentication solutions.

./img/group-44.svg ./img/path-10.svg
These results indicate that issues around improved authentication are taking up quite a bit of bandwidth for companies' senior leadership. Forty-five percent of respondents are at some stage of researching multi-factor authentication methods, reflecting substantial demand for reliable information and innovative solutions involving authentication technology. These results also show good reasons for that -- a need for improved security, regulatory compliance, and user-centric experience. The consensus that strong authentication is an industry best practice is good for companies and consumers alike.

The majority of companies are in the process of researching or implementing new authentication solutions

Improved authentication is a current focus for most companies, with 36% of respondents actively researching new solutions and 24% currently implementing strong authentication solutions.

These results indicate that issues around improved authentication are taking up quite a bit of bandwidth for companies' senior leadership. Forty-five percent of respondents are at some stage of researching multi-factor authentication methods, reflecting substantial demand for reliable information and innovative solutions involving authentication technology. These results also show good reasons for that -- a need for improved security, regulatory compliance, and user-centric experience. The consensus that strong authentication is an industry best practice is good for companies and consumers alike.
patch
brand

Companies' top authentication choices are facial recognition, fingerprint and mobile app authentication

Of the respondents who are considering biometrics, 100% are considering facial recognition and 82% are considering fingerprint recognition. For non-biometric 2FA, the vast majority of companies are considering authentication that uses their mobile app (86%).

./img/group-44.svg ./img/path-10.svg
Smartphones have been a driving force in bringing biometrics to the masses in recent years. With Samsung's iris scan and Apple's FaceID, most consumers now think of biometrics as a common convenience feature, not just a security fence. More and more, consumers expect and even demand biometric authentication for their most sensitive information, especially when it comes to mobile banking and payments.

Companies' top authentication choices are facial recognition, fingerprint and mobile app authentication

Of the respondents who are considering biometrics, 100% are considering facial recognition and 82% are considering fingerprint recognition. For non-biometric 2FA, the vast majority of companies are considering authentication that uses their mobile app (86%).

Smartphones have been a driving force in bringing biometrics to the masses in recent years. With Samsung's iris scan and Apple's FaceID, most consumers now think of biometrics as a common convenience feature, not just a security fence. More and more, consumers expect and even demand biometric authentication for their most sensitive information, especially when it comes to mobile banking and payments.
patch
brand

When implementing biometrics and 2FA, companies faced or expect to face challenges such as complex implementations, disruption of existing processes and lack of customer adoption

After decades of password use, the road to new authentication structures may be a little bumpy. Companies are readily anticipating the challenges that could arise while implementing biometrics and 2FA. The top challenge that respondents have faced or expect to face is the complexity of implementation (76%). Other expected challenges include disruption of existing processes (48%) and lack of customer awareness/adoption (45%).

./img/group-44.svg ./img/path-10.svg
The identity and security space has come to near universal consensus that multi-factor authentication, often involving biometrics, is superior to password-only systems. What stands out here, then, is that the barriers to implementation revolve almost entirely around bureaucracy and corporate structure: possible budget overruns, fear of complex implementations and "disruption of existing processes" -- which may translate into "not the way we've done it before." Agility in identity security architecture is a real issue for many companies, especially large enterprises.

When implementing biometrics and 2FA, companies faced or expect to face challenges such as complex implementations, disruption of existing processes and lack of customer adoption

After decades of password use, the road to new authentication structures may be a little bumpy. Companies are readily anticipating the challenges that could arise while implementing biometrics and 2FA. The top challenge that respondents have faced or expect to face is the complexity of implementation (76%). Other expected challenges include disruption of existing processes (48%) and lack of customer awareness/adoption (45%).

The identity and security space has come to near universal consensus that multi-factor authentication, often involving biometrics, is superior to password-only systems. What stands out here, then, is that the barriers to implementation revolve almost entirely around bureaucracy and corporate structure: possible budget overruns, fear of complex implementations and "disruption of existing processes" -- which may translate into "not the way we've done it before." Agility in identity security architecture is a real issue for many companies, especially large enterprises.
patch
brand

FIDO is not a priority when choosing an authentication solution

FIDO ("Fast IDentity Online") is a set of industry open standards that reduces reliance on passwords. FIDO supports biometric authentication, including fingerprint and face recognition, as well as USB security tokens, smart cards, and more. While standards are essential for wide adoption of strong authentication, respondents don't seem to place a high value on it.

Only 18% of respondents think FIDO is necessary and important. Many respondents (46%) believe it's simply a "good to have," rather than a requirement.

./img/group-44.svg ./img/path-10.svg
These responses seem to indicate that we have a long way to go in terms of educating the identity and security space on open standards. Many companies know that, in theory, standards are important, but have little tangible experience with how FIDO certifications can directly lead to better outcomes for their customers or more security for their corporate data.

FIDO is not a priority when choosing an authentication solution

FIDO ("Fast IDentity Online") is a set of industry open standards that reduces reliance on passwords. FIDO supports biometric authentication, including fingerprint and face recognition, as well as USB security tokens, smart cards, and more. While standards are essential for wide adoption of strong authentication, respondents don't seem to place a high value on it.

Only 18% of respondents think FIDO is necessary and important. Many respondents (46%) believe it's simply a "good to have," rather than a requirement.

These responses seem to indicate that we have a long way to go in terms of educating the identity and security space on open standards. Many companies know that, in theory, standards are important, but have little tangible experience with how FIDO certifications can directly lead to better outcomes for their customers or more security for their corporate data.
patch
brand

43% of companies are currently considering ways to better secure other customer touchpoints, including workflow authentication and call centers

Many companies are thinking beyond websites and apps when it comes to upgrading authentication. 16% of respondents are already working on securing customer touchpoints other than websites and apps, and 27% of respondents have plans to do so. The touchpoints that respondents say are most in need of better security are workflow authentication (68%) and call centers (65%).

Although we find that 43% of companies already are looking at and implementing solutions across multiple touchpoints, there is a need to further educate the market on what is possible, as 16% say they haven't found a solution they think will work, and 19% aren't sure that it's possible.

./img/group-44.svg ./img/path-10.svg
Consumers interact with companies across a broadening array of touchpoints, and most customers expect tailored, convenient interactions using the channels they prefer (e.g., mobile, web, voice, etc.). It's encouraging, then, that most respondents have at least considered authentication across the entire customer lifecycle. Fraudsters evolve quickly, so it's important to have robust identity processes wherever a business process intersects with a user journey.

43% of companies are currently considering ways to better secure other customer touchpoints, including workflow authentication and call centers

Many companies are thinking beyond websites and apps when it comes to upgrading authentication. 16% of respondents are already working on securing customer touchpoints other than websites and apps, and 27% of respondents have plans to do so. The touchpoints that respondents say are most in need of better security are workflow authentication (68%) and call centers (65%).

Although we find that 43% of companies already are looking at and implementing solutions across multiple touchpoints, there is a need to further educate the market on what is possible, as 16% say they haven't found a solution they think will work, and 19% aren't sure that it's possible.

Consumers interact with companies across a broadening array of touchpoints, and most customers expect tailored, convenient interactions using the channels they prefer (e.g., mobile, web, voice, etc.). It's encouraging, then, that most respondents have at least considered authentication across the entire customer lifecycle. Fraudsters evolve quickly, so it's important to have robust identity processes wherever a business process intersects with a user journey.
patch
brand

Final Thoughts

The survey finds that while biometrics and other strong authentication methods are on their way in, the main driver for implementation may be user convenience rather than security. This came as a surprise to us. Considering all of the data breaches, hacks, and privacy concerns we've seen over the last decade, it seems logical that companies should be more concerned about security and protecting sensitive customer data. Although most participants are looking for what amounts to a FIDO-based solution, many still don't know enough about FIDO.

However, whether the driving force for strong authentication revolution is reducing friction or increasing security, the race is definitely underway, with the majority of respondents planning to deploy 2FA in the next year, closely followed by biometric login; specifically, facial recognition.

Why have IT professionals taken so long to go biometric or 2FA? Overall, professionals say the implementation is too complex, implying that if we want passwords to actually be a thing of the past, creators of strong authentication solutions must focus on making implementation easier and provide a seamless experience for both IT executives and end users.

For more information regarding this survey or strong authentication solutions