Survey: Security Practitioners Ready to Bolster but not Bury Passwords

Authentify survey suggests 72.5 percent of security practitioners believe passwords will not be replaced in the foreseeable future; 41 percent believe two-factor authentication is needed to strengthen account protection

Chicago, Illinois, UNITED STATES

CHICAGO, Dec. 3, 2013 (GLOBE NEWSWIRE) -- Despite nearly weekly revelations of new password database breaches, a survey conducted by Chicago-based Authentify, Inc., the pioneer in employing telephony and telephones in authentication work flows, suggests that passwords will remain the primary protection for online accounts. 

Of the survey respondents, 72.5 percent indicated that in their respective worlds, passwords would continue to be used. Only 2 percent of those who responded indicated doing away with passwords altogether was something they favored, and 41 percent indicated that they favored implementing a second authentication factor to strengthen login processes using passwords. Of all of the respondents, 63 percent indicated a voice call or secure message to the user's phone or mobile device was the favored second factor versus challenge questions.

There were 428 security practitioners across financial services, corporate information security and health insurance providers that responded to the emailed survey.

"I was surprised that there was very little difference between the security professionals in financial services and those in corporate information security," said John Zurawski, vice president of marketing for Authentify, Inc. "I expected more of an anticipated shift away from passwords in financial services."

The survey results did indicate a slight difference between larger and smaller financial services firms, with the smaller firms standing their ground in the continued use of passwords camp. 

Zurawski said, "I suspect that the tendency to continue to rely on passwords as a primary authentication technique is driven by the user community.  At smaller, less urban institutions, the customers may be less technically savvy, and the banking staff may know the customers and their habits much better than at a larger multi-national."

As a shared secret, poor "password hygiene" and reuse practices by end users can contribute to the vulnerability of a password, but many of the recent exposures, such as the Adobe, GitHub and Cupid Media hacks, have not been the result of poor practices by end users.  A hacker will have an easier time decrypting simple passwords versus more complicated ones, but once an entire password store is compromised, a hacker can work on cracking them at their leisure.

Requiring the end user to accept a phone call or secure message or tie a phone or smart mobile device to the account via a security app greatly reduces the attack surface for that account.  Consider that for an account permitting access via the Internet, a username and password can be used from any endpoint with a browser. Anyone armed with the correct username and password could connect from anywhere.  Mandating the user to control a second device or to use the presence of a secure app on their mobile device linked to the account limits the access points to those devices over which the user has direct control. If passwords are not going away any time soon, two-factor authentication for online accounts is the logical next step.

About Authentify, Inc.

Authentify, Inc. is the leading innovator of global phone-based, out-of-band authentication services and was recently ranked as a visionary by Gartner. Authentify's services enable organizations that need strong security to quickly and cost-effectively add 2-factor or 3-factor authentication layers to user logon, transaction verification or critical changes such as adding a payee to an e-pay or wire account. The company's patented technology employs a service-oriented message architecture and XML API to seamlessly integrate into existing security processes. Authentify markets primarily to financial services firms that need to protect their clients' online accounts, corporate security professionals managing corporate access control and e-merchants who want to limit fraud on their sites.

(c) December 2013, Authentify, Inc. Authentify and 2CHK Technology Patents Issued and Pending: U.S. PATENT NOS. 6,934,858 / 7,383,572 / 7,461,258 / 7,574,733 / 61,327,723 / 61,334,776 / 12,938,161 / 13,006,806 / 13,011,387 / 13,011,38 7 / 13,011,73