After the RSA Security breach, organizations are less confident in security tokens as a method for multifactor authentication, according to a recent report.
The recent data breach at RSA Security is encouraging IT
professionals to re-evaluate alternative authentication methods and to
reconsider the safety of token-based authentication, according to a recent
Nearly 44 percent of IT professionals who were aware of the
RSA data breach
are now re-evaluating
token-based authentication platforms, according to a survey released by
PhoneFactor on April 27. The survey covered more than 400 IT professionals across
multiple industry sectors, and 48.6 percent reported they are currently using
either hardware or software security tokens in their organizations.
Fully 93 percent of the respondents were aware that
attackers had stolen information about RSA's SecurID two-factor authentication
technology. Furthermore, 57 percent indicated that the RSA breach has reduced
their confidence in security tokens
Independent of the data breach, about 86 percent of the
respondents were concerned about the effectiveness of hardware tokens against
increasingly sophisticated cyber-threats. Of this group, a little more than
half said man-in-the-middle attacks have reduced their confidence in security
provided by tokens.
Due to overall security concerns and lack of confidence in
tokens, 65 percent of the respondents said they are either currently
evaluating or plan to evaluate other out-of-band authentication methods. That
number inches up a little higher to 70 percent when looking only at the
respondents who were aware of the RSA incident. Nearly 15 percent of the
respondents who were aware of the breach said they are speeding up plans to
evaluate alternative products.
This is consistent with a Gartner forecast that the use of
specialized authentication hardware such as tokens will decline dramatically to
be less than 10 percent by the end of 2013. Google is one of the major
organizations that have recently implemented phone-based authentication for its
The survey did not specify whether the institutions are
considering these alternative methods for use internally by employees or for
customers accessing external-facing services.
Nearly all-96 percent-of the IT managers in the survey
have other concerns besides security with their current token deployments. The
issues include the amount of resources needed to deploy and manage the
technology, lack of convenience, high ongoing fixed and internal support costs,
and the lack of interoperability with mobile devices and cloud services.
The level of concern is particularly high in the banking and
financial services sector, as 81 percent said their organizations are
evaluating the use of out-of-band authentication. About 82 percent of banking
professionals said their organization is likely to consider phone-based
technology because they think it is the most secure.
Irrespective of the industry, 68 percent said they are
considering phone-based out-of-band authentication. Respondents listed
out-of-band authentication, such as relying on a phone call or text message, as
a leading alternative to tokens because they are easier to use and rely on a
device users already have.
Of the 400 respondents that replied to the email survey, a
little over a third of the respondents were from organizations with less than
250 employees. The survey included IT managers, IT staff, product managers and
PhoneFactor is a multifactor authentication provider that
sells phone-based technology.