Multi-Factor Authentication

Transcription

1 Multi-Factor Authentication Current Usage and Trends whitepaper Executive Summary In the wake of continuing breaches, it is abundantly clear that governing access to corporate resources solely through static user names and passwords isn t enough. In this digital age, validating identities and controlling access is vital, which is why multi-factor authentication has become such a fundamental requirement in so many organisations. As security teams contend with such trends as cloud migrations and the influx of consumer devices, the approaches, strategies, and plans for authentication will continue to evolve. This white paper draws on a large survey to provide a current picture of the authentication landscape, and it offers insights into how this landscape is expected to change in the coming years. Introduction Multi-factor authentication refers to the use of two or more means for establishing a user s identity before granting access to a specific asset, application, or service. Authentication factors can include something the user knows (such as a password), something the user has (such as a token), or a user s specific physical attribute (such as a thumbprint). Security teams have been relying on multi-factor authentication for quite some time. Today, however, the nature of multi-factor authentication is changing in some fundamental ways: Expanding usage. Demand for multi-factor authentication continues to grow. In the past, authentication was often deployed within an enterprise to address specific groups and use cases, such as VPN access. Now, there is a trend toward making authentication standard operating procedure for a much broader set of users and uses, such as safeguarding access to collaboration portals and cloud-based services. In response to the major security breaches that have been occurring, prominent vendors like Dropbox, Facebook, Google, LinkedIn, Microsoft, and Twitter have added capabilities for multifactor authentication to their online services. Increasing urgency. The need to leverage multi-factor authentication continues to grow increasingly urgent. This urgency is being driven both by traditional demands to mitigate risk and address compliance mandates, and to sustain security in the midst of such emerging trends as the proliferation of cloud services, collaboration tools, and bring your own device (BYOD) initiatives. For example, in cloud environments, multiple tiers and types of administrators may have access to infrastructure and assets, and multifactor authentication can be a vital mechanism for preventing unauthorised access and enforcing unified access policies. Multi-Factor Authentication: Current Usage and Trends Whitepaper 1

2 Evolving technology. Given the shifts in the technological environment brought about by cloud services and mobile device proliferation, there has been a fundamental evolution in terms of how authentication is used and implemented. For example, the increased use of smart phones in an enterprise means that more people are using their mobile devices to access corporate resources. Likewise, the distribution and decentralisation of data and applications across the enterprise and the cloud means that users have to authenticate to more resources. To gain a better understanding of how the authentication landscape is evolving, SafeNet conducted a survey of around 350 senior IT and security professionals around the world. This white paper reports on the findings of this research, providing a current look at the authentication market and some insights into its future evolution. This survey is the second SafeNet has conducted on this topic; the first was carried out about a year before, and this report offers some comparisons with these prior results to highlight some key trends that have been identified. Summary of Top Findings Following are a few of the most significant findings the survey uncovered: Cloud-based authentication quickly gaining widespread acceptance. When asked whether they prefer cloud- or server-based authentication models, almost 33% indicated they preferred cloud-based authentication. One year prior, only about 20% said they preferred cloud-based authentication. This increased preference for cloud-based offerings is also in evidence in the growing adoption of SaaS-based offerings more generally as well as the increased adoption rates of SafeNet s authentication-as-a-service offering. Employee usage expanding. In the survey, 2 said less than one-tenth of employees were using multi-factor authentication, while more than 32% had indicated that was the case one year ago. Only expect that less than 10% of the workforce will be using these types of authentication in two years. This data attests to the fact that IT organizations are making strong access controls a higher priority, particularly as the use of cloud offerings and mobile devices continues to provide new means of accessing corporate data and services while at the same time creating new vulnerabilities. Substantial increase expected in mobile user authentication. Currently, 34% of respondents say more than half of employees use multi-factor authentication in order to access corporate resources from their mobile devices, and 54% expect that to be the case in two years. Authentication costs run the gamut. When asked how much they spend annually per user on authentication, 1 said they are spending less than 15 currently. On the other end of the spectrum, 10% say they currently spend more than 48. The wide variance in per-user costs can be attributed to a couple factors. First, this can be ascribed to the wide range of organization sizes that made up the respondent sample. For example, 43% of respondents work with companies with more than 1,000 employees, and larger organizations will typically be able to negotiate for more heavily discounted token pricing when purchasing in bulk. Additionally, larger organizations may take a more structured approach to their authentication implementations, which enables them to capitalize on all the potential cost savings that can be realized by automating as many processes as possible. Second, the disparity in numbers can also be due to the products and methodologies employed. For example, those organizations that have adopted hardware tokens will typically see higher per-user costs than those who have deployed other token types or employed context-based or out-of-band (OOB) authentication methods. Multi-Factor Authentication: Current Usage and Trends Whitepaper 2

3 Software-based authentication soon to eclipse hardware based. Now the second most common approach, software-based authentication looks poised to take the lead in the next two years. Hardware-based approaches are currently used by 48% of respondents, but only 41% expect to be doing so in two years. On the other hand, usage of softwarebased alternatives is expected to grow from 40% to 50% in two years. This increasing preference for software-based alternatives has also been reflected in the makeup of SafeNet s token sales. SafeNet offers a number of token alternatives, including a wide range of hardware- and software-based offerings. As SafeNet customers look to control costs while addressing the increased demand for authentication, many are growing increasingly reliant on software-based alternatives. Two-factor Authentication: Employee Usage in the Enterprise The survey polled respondents on the number of employees in their company, and the results revealed there was a broad mix of organisation sizes represented. Respondents were fairly evenly split among the various categories provided. About one-quarter of respondents worked in companies with less than 100 employees, and, combined, 47% were from companies with less than 500. On the other hand, 28% were from organisations with more than 5,000 employees, and 43% represented companies with more than 1,000. Today, IT organizations are being tasked with guarding against more sophisticated attacks, controlling access from a broader range of devices, and securing corporate assets across more diverse environments. For all these reasons, the use of multi-factor authentication is poised to expand. Today, the biggest percentage, 2, say less than 10% of the workforce is using multi-factor authentication. One year ago, 32% indicated that was the case. In contrast, 1 now say % of the workforce is using multi-factor authentication, a category that had a 12% response a year ago. When asked to estimate their usage in two years, only said less than 10% of the workforce would be using multi-factor authentication, whereas one year ago 12% expected that to be the case. In two years, 2 anticipate that % of the workforce will be using multi-factor authentication. In the past year, the percentage of respondents that have more than 50% of the workforce using multi-factor authentication grew from 30% to 37%. In two years, 5 expect more than half of their users to rely on multi-factor authentication. In your organisation, what percentage of employees use multi-factor authentication today? In your organisation, what percentage of employees will use multi-factor authentication in two years? Less than 10% 2 Less than 10% 10-20% 13% 10-20% 20-30% 11% 20-30% 8% 30-40% 8% 30-40% 40-50% 40-50% 50-60% 50-60% 7% 60-70% 4% 60-70% 70-80% 70-80% 80-90% 4% 80-90% % % 2 Multi-Factor Authentication: Current Usage and Trends Whitepaper 3

4 Preferences: Server- vs. Cloud-based Authentication To gauge the evolving perspectives on cloud adoption, the survey inquired as to whether respondents preferred server- or cloud-based authentication. Since last year, there has been more than a 50% increase from 21 to 33% in the number of respondents who prefer cloudbased authentication. As a frame of reference, in its Magic Quadrant for User Authentication, Gartner estimates that by the end of 2016, approximately 30% of enterprises will choose cloud-based services for new or refreshed authentication implementations 1. While it isn t possible to make direct comparisons across these different surveys, given the fact that the SafeNet survey, taken late in 2013, indicates 32.7% are now open to the cloud, it would appear momentum may be picking up in terms of cloud adoption, perhaps even faster than analysts anticipate. This increased openness to cloud-based services can be attributed to the general increase in cloud-based service usage. Further, as cloud-based services continue to evolve, many vendors are beginning to address the security gaps and obstacles that impeded cloud adoption in the past. For example, SafeNet has invested in ISO certification for its authentication-as-aservice offering, which can help strengthen customers trust in their cloud implementations. What is your preference between server-based authentication versus cloud-based authentication? Server-based 67% 7 Cloud-based 21% 33% 0% 20% 40% 60% 80% 100% Token Types in Use The survey looked at respondents usage of various token types. Following are some of the key takeaways: Decline of hardware, rise of software. As outlined earlier, IT organizations are being tasked with supporting multi-factor authentication for more devices, users, and use cases. As they seek to meet this demand, ease of use and cost continue to grow increasingly critical. These demands are fueling an increased move from hardware- to software-based tokens. When asked about current usage of tokens, hardware tokens were the highest referenced category, receiving a response of 48%. Perhaps more strikingly, one year ago, hardware was referenced by 60% of respondents. In the most recent survey, when respondents were asked to project hardware usage in two years, that number is expected to drop to 41%. On the other hand, one year ago, 27% were using software-based authentication approaches. This year, the number grew to 40%, and responses indicate it will likely rise to 50% in two years. 1 Gartner, Magic Quadrant for User Authentication, 9 December 2013, Ant Allan Multi-Factor Authentication: Current Usage and Trends Whitepaper 4

5 SMS to stay flat. One year ago, results indicated that the percentage of organisations using mobile-based authentication would grow substantially, from 28% to 4. However, when it comes to SMS specifically, this year s survey points to a more subtle increase, with SMS-based authentication going from 23% to 2 in two years. The fact that this mode of authentication isn t expected to grow more rapidly may be attributable to a couple factors. First, given the carrier fees associated with authentication-based SMS messages and the potential for additional roaming charges, this form of authentication tends to grow less cost effective as usage rates increase. In addition, SMS authentication is contingent upon the availability and performance of the user s mobile phone network coverage, which can lead to unpredictable accessibility. Other form factors to grow in two years. Across the board, respondents clearly expect to become increasingly reliant on multi-factor authentication, and this is helping fuel growth across some less broadly employed categories, including biometric (going 14% to 18%), grid or pattern-based (7% to 10%), and context-based authentication ( to 14%). Traditionally, biometric authentication hasn t been widely adopted by most enterprise security organizations. However, the slight increase expected may be attributable to the interest in using biometric methods to secure access from mobile devices. There are many different types of tokens. What percentage of your current employees use each type now? There are many different types of tokens. What percentage of your current employees do you expect to be using these in two years? Hardware 48% Hardware 41% Software 40% Software 50% SMS 23% SMS 2 Biometric 14% Biometric 18% Grid 7% Grid 10% Context Based Context Based 14% Multi-factor Authentication from Mobile devices With the massive shift ushered in by increased mobile device usage and BYOD in enterprises, there have been significant implications for multi-factor authentication deployments, and those changes look likely to continue in the next two years. When asked whether access to corporate resources is being restricted to users of mobile devices, respondents were fairly evenly split, with 53% saying yes and 47% saying no. While more than half have identified the need and the means for applying multi-factor authentication to mobile devices, the remainder of respondents may still be waiting to address this relatively new paradigm or remain uncertain as to the best approaches and technologies to use in doing so. Do you restrict your users from accessing corporate resources from mobile devices such as smartphones and tablets? Yes 52% 47% No 0% 20% 40% 60% 80% 100% The survey then inquired as to the percentage of employees that use strong, multi-factor authentication when accessing corporate resources from their mobile devices. Currently, many respondents fall on opposite ends of the spectrum. For example, more than half of respondents have less than 30% of mobile users leveraging multi-factor authentication, and 34% have more than 50% of users that do so. Multi-Factor Authentication: Current Usage and Trends Whitepaper 5

6 Survey respondents were then asked to predict how their usage would look in two years. In that time, the percentage of respondents that expect less than 10% of mobile users to be relying on multi-factor authentication drops from 40% to 1. In contrast, the group that has % of mobile users employing strong authentication grows from 22% to 33%. In addition, those that will have more than half of users employing these safeguards grows from 34% to 54%. What percentage of users are currently required to use strong authentication to access corporate resources? What percentage of users will be required to use strong authentication to access corporate resources from mobile devices in two years? Less than 10% 3 Less than 10% % 10% 10-20% 8% 20-30% 20-30% 30-40% 7% 30-40% 40-50% 40-50% 8% 50-60% 50-60% 7% 60-70% 1% 60-70% 3% 70-80% 3% 70-80% 80-90% 2% 80-90% % 22% % 33% Multi-factor Authentication: Applications In many organisations, multi-factor authentication has historically been used largely for securing VPN access, but particularly as IT organizations contend with the complexity introduced by BYOD and cloud adoption the number of additional applications has been increasing. The survey inquired into how many applications other than VPN access are being secured through multi-factor authentication, and 34% said none. One year ago, 42% indicated that was the case. While the number has decreased, given the continued incidence of high-profile and large-scale breaches, the fact that over one-third aren t using multi-factor authentication more broadly is somewhat surprising. This statistic may be at least partially attributable to the fact that many IT organizations have failed to keep pace with the rapid adoption and proliferation of mobile devices, cloud services, and virtualization. However, as IT organizations increasingly make it a priority to respond to these trends, the number of organizations that use multi-factor authentication solely for VPN access seems sure to continue to decline. Currently, 48% of respondents said they use multi-factor authentication for one to three additional applications, a category that grew from 40% a year ago. 13% said they are using multi-factor authentication to secure more than five applications. Apart from securing VPN access, how many other applications do you use multi-factor authentication for? None 34% % % 48% More than 5 13% 12% 60% 70% 80% 80% 100% Multi-Factor Authentication: Current Usage and Trends Whitepaper 6

7 The survey also polled respondents on the various applications in which multi-factor authentication is being employed, and following are the respective responses: SaaS applications: 38% Virtual desktop infrastructures (VDI): 22% Private clouds: 40% Outlook Web Access: 3 It is interesting to note that two relatively new applications, SaaS and private cloud, now eclipse a more traditional application like Outlook Web Access. Which other applications do you use multi-factor authentication for? SaaS appliations 38% VDI 22% Private Cloud OWA 40% 3 Cost of Multi-factor Authentication The survey looked at authentication costs, both in terms of what respondents pay and what they d expect to pay. The results point to a big contrast between reality and expectations. For example, 1 are currently spending less than 15 per user every year, while 42% would expect to pay less than 15. Only 42% spend less than 36 currently, but over three-quarters, 7, would expect to do so. On the other hand, in those organisations that pay higher amounts, respondents seem to have expectations that are more aligned with their actual expenditures. 10% spend more than 48, and would expect to do so. As outlined earlier, the increased demand for multi-factor authentication will place a premium on reducing authentication costs and maximizing ease of use. Perhaps this disparity between actual costs and expectations can be at least partly attributed to aspirations, and the need to reduce costs in response to expanding demand. As management teams assess their costs, it is important they do so within the context of having an accurate understanding of the total cost of ownership of the solution, including both its hard costs and soft costs. Hard costs refer to the specific expenditures required to procure and implement a solution, including not only software license costs, but ongoing incident resolution, security audits, virus and security management, user administration, and so on. Soft costs refer to the objectives and attributes an organization wants to realize through the solution deployment, whether specific availability metrics, 24/7 support for global end users, increased security, and so on. All costs considered (including help desk, administration, and token distribution) how much does your multi-factor authentication solution cost per user, per year? Less than 15 Euros/Pounds Between Euros/Pounds 1 23% Between Euros/Pounds Between Euros/Pounds Above 60 Euros/Pounds 4% 11% Don t know 37% Multi-Factor Authentication: Current Usage and Trends Whitepaper 7

8 All costs considered (including help desk, administration, and token distribution) how much would you expect to pay per user, per year? Less than 15 Euros/Pounds Between Euros/Pounds 3 42% Between Euros/Pounds 14% Between Euros/Pounds Above 60 Euros/Pounds 4% Evaluating Authentication Solutions and Vendors The survey looked at the factors that respondents consider when evaluating authentication solutions and vendors. When they evaluate solutions, ease and convenience are widely considered to be a significant determining factor. 3 point to ease as critical, 52% say it is important, and 12% say it is quite important. Only 1% said it was not important. This widespread recognition of ease of use is very much in line with the broader market trends outlined above. As described earlier, ease of use will be a critical success factor if organizations are to effectively manage budgets while adapting to increased demand for multifactor authentication. Further, ease of use also has a direct impact on overall security: History has clearly proven that any time security mechanisms place too much burden or inconvenience on users, they will fail to consistently use the mechanism or find ways to bypass it altogether. Consequently, ease of use is a critical factor in determining whether organizations can realise consistent adherence with security policies. To what extent is ease of use and convenience for your end users a factor when considering an authentication method? Critical 3 Important 52% Quite important 12% Not important 1% Once an organisation has signed on with an authentication vendor, what factors would get the management team to make a change? Perhaps it shouldn t come as a surprise that cost was a deciding factor for many, over 5. The vendor s level of support was the next highest category, receiving a response of 48%. Dissatisfaction with the solution was the most important factor for 3. What is your biggest motivator to switch authentication vendors? Cost Level of support 48% 5 Dissatisfaction with solution 3 60% 70% 80% 90% 100% Multi-Factor Authentication: Current Usage and Trends Whitepaper 8

9 Conclusion In recent years, the pace and scope of change has been dramatic, and, as the survey makes abundantly clear, more change is in store. The move to mitigate the risks of static user names and passwords has been underway for some time, and the survey makes clear that management teams understand the increasing need to secure access to more applications, safeguard more endpoints, and manage more identities. To contend with BYOD, organisations will increasingly implement strong authentication for users of mobile devices. To address all these demands, security organisations will be well served by authentication platforms that offer automation, support for multiple use cases, and flexible delivery options. These realities are clearly a big reason that cloud-based authentication, virtually an unknown a few years ago, is now the preference for more than 30% of respondents. About the Survey This white paper draws its findings from a survey of more than 350 individuals from around the world. About 2 were from the Asia Pacific region; 42% from Europe, Middle East, and Africa; and 2 from North America. About SafeNet Founded in 1983, SafeNet, Inc. is one of the largest information security companies in the world, and is trusted to protect the most sensitive data for market-leading organizations around the globe. SafeNet s data-centric approach focuses on the protection of high value information throughout its lifecycle, from the data center to the cloud. More than 25,000 customers across commercial enterprises and government agencies trust SafeNet to protect and control access to sensitive data, manage risk, ensure compliance, and secure virtual and cloud environments. Contact Us: For all office locations and contact information, please visit Follow Us: SafeNet, Inc. All rights reserved. SafeNet and SafeNet logo are registered trademarks of SafeNet. All other product names are trademarks of their respective owners. WP (EN) A4-28Mar2014 Multi-Factor Authentication: Current Usage and Trends Whitepaper 9