RSA SecurID Breach Shakes Confidence in Token-Based Authentication: Survey

After the RSA Security breach, organizations are less confident in security tokens as a method for multifactor authentication, according to a recent report.

The recent data breach at RSA Security is encouraging IT professionals to re-evaluate alternative authentication methods and to reconsider the safety of token-based authentication, according to a recent survey.

Nearly 44 percent of IT professionals who were aware of the RSA data breach are now re-evaluating token-based authentication platforms, according to a survey released by PhoneFactor on April 27. The survey covered more than 400 IT professionals across multiple industry sectors, and 48.6 percent reported they are currently using either hardware or software security tokens in their organizations.

Fully 93 percent of the respondents were aware that attackers had stolen information about RSA's SecurID two-factor authentication technology. Furthermore, 57 percent indicated that the RSA breach has reduced their confidence in security tokens overall.

Independent of the data breach, about 86 percent of the respondents were concerned about the effectiveness of hardware tokens against increasingly sophisticated cyber-threats. Of this group, a little more than half said man-in-the-middle attacks have reduced their confidence in security provided by tokens.

Due to overall security concerns and lack of confidence in tokens, 65 percent of the respondents said they are either currently evaluating or plan to evaluate other out-of-band authentication methods. That number inches up a little higher to 70 percent when looking only at the respondents who were aware of the RSA incident. Nearly 15 percent of the respondents who were aware of the breach said they are speeding up plans to evaluate alternative products.

This is consistent with a Gartner forecast that the use of specialized authentication hardware such as tokens will decline dramatically to be less than 10 percent by the end of 2013. Google is one of the major organizations that have recently implemented phone-based authentication for its Gmail users.

The survey did not specify whether the institutions are considering these alternative methods for use internally by employees or for customers accessing external-facing services.

Nearly all-96 percent-of the IT managers in the survey have other concerns besides security with their current token deployments. The issues include the amount of resources needed to deploy and manage the technology, lack of convenience, high ongoing fixed and internal support costs, and the lack of interoperability with mobile devices and cloud services.

The level of concern is particularly high in the banking and financial services sector, as 81 percent said their organizations are evaluating the use of out-of-band authentication. About 82 percent of banking professionals said their organization is likely to consider phone-based technology because they think it is the most secure.

Irrespective of the industry, 68 percent said they are considering phone-based out-of-band authentication. Respondents listed out-of-band authentication, such as relying on a phone call or text message, as a leading alternative to tokens because they are easier to use and rely on a device users already have.

Of the 400 respondents that replied to the email survey, a little over a third of the respondents were from organizations with less than 250 employees. The survey included IT managers, IT staff, product managers and non-IT staff.

PhoneFactor is a multifactor authentication provider that sells phone-based technology.