User authentication is in the news each time a large password database gets compromised – a recent one and the biggest ever being Adobe’s with reportedly 150M compromised user accounts. Most articles focus on the sensational but some also question the solutions or alternatives: how do we get out of it or past it? At inWebo, while we have a vision for solving the authentication dilemma, we wanted also to feel organizations’ and service providers’ awareness about user authentication. So, we conducted a survey of 104 IT security professionals. Here are the results and lessons.
Status quo is no longer an option
That’s the first and main lesson: less than 10% of respondents see no motivation to go away from the traditional site-centric, password-based user authentication. If the saying “motivation precedes action” is true, then the survey shows that service providers and organizations take user authentication seriously and will finally do something about it.
Most respondents consider it as not secure enough (67%), face user dissatisfaction (53%), or simply no longer want to store user passwords in order to avoid the hassle and responsibility in case of attack (32%). Respondents seeking to collect user data (8%) through social login are fewer than expected: is it a sign that privacy concerns have gained importance in the recent months?
Alternatives are well known
Here again, a little surprise: whereas the “man in the street” – even the streets of San Francisco! – barely knows authentication techniques beyond short-text and Facebook connect, a vast majority of respondents are aware of alternatives to site-centric, password-based user authentication. 65% know about social login, 83% about multi-factor authentication, and 52% about federation and single sign-on.
The fact that these figures vastly contrast with the actual implementations should raise questions. With such levels of awareness, both of the pain and of the solutions, how come is site-centric, password-based authentication still so prevalent?
Perceived constraints to change
Part of the answer to that question may reside in the analysis of what respondents are expecting – and maybe don’t find? – in alternatives. Not surprisingly, the top-2 motivations for moving away from traditional password-based authentication – security and user convenience – are also the top-2 criterion when assessing alternatives: respectively 92% and 72% of respondents think of them as “very important”.
More than the absolute costs levels (50%), the relevance of investments and interoperability (65%) are tagged as essential by respondents. Finally, respondents seem to accept that improving user authentication may impact their existing systems or user support processes, as less than respectively 50% and 40% think of them as “very important” criterion.
What’s next for user authentication?
When asked about the relevance of alternative “form factors”, service providers give an interesting insight in the short-term evolution of user authentication.
Most favored methods (tagged as “perfect fit”) are In-App authentication (43%) and browser-based transparent authentication (33%), which again shows the focus on user convenience. Then come key-chain tokens (31%), biometry (28%), and soft-tokens (26%). Finally, codes sent in short-text messages (SMS-OTP) appear a perfect fit for only 10% of responders – so it seems that SMS-OTP has become obsolete in just a few years.
But the other end of the answers is also worth looking at. In-App authentication (5%) and browser-based transparent authentication (9%) are the least tagged as “not fit” by respondents. In the list come then soft-tokens (11%). All other methods including biometry (23%), SMS-OTP and key-chain tokens (both 25%) have a rejection rate over 20%, which makes unlikely they will go mainstream in the next future.
Being the most favored and the least rejected, the frictionless methods (in-App and browser-based multi-factor authentication) are therefore good candidates for replacing password-based authentication. This is very much aligned with inWebo vision and roadmap for user authentication!