Authentication is one of the top priorities for organizations, as 84% of respondents in SecureAuth’s inaugural “State of Authentication” report placed authentication and access management in their top three to five security priorities.
SecureAuth grouped verification factors, such as one-time passwords and PINs transmitted over SMS text messages, emails, or phone calls, as “traditional multifactor authentication.” Organizations are increasingly exploring newer multifactor authentication (MFA) methods, such as invisible MFA and passwordless technologies, according to the report.
The biggest focus appears to be single sign-on (45%), followed by invisible MFA (38%), two-factor authentication (36%), and continuous authentication (35%). Invisible MFA refers to silently collecting information needed for verification without requiring any user action, such as entering a one-time password or approving a push notification on an app. Invisible MFA combines behavioral, environmental, and contextual signals to determine whether the user is logging in from an authorized device.
The major trend in security nowadays is consolidation. Organizations are trying to reduce the number of security tools in order to minimize integration challenges and reduce complexity. But that is not the case with identity when it comes to identity provider products. Three-quarters of the respondents (76%) say their organizations rely on multiple identity provider products for various reasons, including failover and use-case requirements (such as users on different operating systems). Failover makes a lot of sense – the last thing security teams want is users being unable to access the services and applications they need because the primary identity product is unexpectedly offline or compromised by an attack.
Identity provider products named in the report include Microsoft (E3 and E5), Okta, Ping Identity, ForgeRock, and SecureAuth.
Most respondents have some form of MFA in their organizations, according to the report. This reflects the security team’s reality; The growing volume of credentials-based attacks means organizations cannot rely on passwords alone for authentication. Cyber insurance also plays a role, as many carriers make using MFA as a requirement for having a policy.
Nearly a third of respondents said they have plans to implement passwordless technologies in the next six months, while another third have plans within the next 12 to 24 months. The biggest barrier to implementation is having too many competing priorities (55%), lack of knowledge about the technology (46%), and budgetary constraints (24%).