Global Enterprises Ramp Up Trusted Access
When thinking of access control, consider the venerable house key. You leave home in the morning for work. You may remember that the kids will be home early from high school. You might put the key in the mailbox, under the front door mat, or even in that fake plastic rock that—let’s be honest—is not fooling anyone.
While we see that key as a security control, it has limited utility. If someone were to find the key and gain access to your home, there is nothing to verify that the person coming through the front door is the one who should be doing so. The same holds true for relying on static usernames and passwords as a method of protecting access to digital resources.
To gain an understanding of how to secure enterprises, as well as the individual, it is incumbent upon security professionals to find better ways to enable a safe and secure environment. When we factor the human element into the equation, we see where the password can let us down. We have collectively managed to exhibit a pattern of insecure behavior such as re-using passwords on multiple sites. This is all too common, and it is done out of convenience in many cases.
When we factor the human element into the equation, we see where the password can let us down.
How can we enable authentication models to protect individuals while also reducing risk to the enterprise? To put it simply: We need to democratize security. What does that mean? It means that companies need to provide security solutions that are robust and easy to use. Tools written by engineers for engineers are not going to endear themselves to the wider audience. By empowering the individual with intuitive tools, users can spend more time on their core competencies instead of growing frustrated with security.
Once the security team was seen as the “department of no,” but now security is rowing into its role as a business enabler. Multifactor authentication is an excellent example of how that maturity has grown over the years.
The 2021 Duo Trusted Access Report went a long way to help illustrate the trends based on globally collected data from customers. This report was a collaborative cross-team, data-driven report that examined and analyzed customer authentication data. There was a keen interest in how customers were using policies, and we were able to see trends as they pertained to devices, browsers, and applications.
There was a substantial increase in the utilization of multifactor authentication (MFA) and passwordless technology across the board. The number of MFA authentications using Duo rose by 39 percent in 2021 compared to 2020, and there was a fivefold increase in Webauthn usage. Webauthn is a specification written by the World Wide Web Consortium (W3C) and the Fast Identity Online (FIDO) Alliance which is the underpinning for passwordless authentication. The Application Programming Interface (API) allows servers to register and authenticate individuals by using public key cryptography instead of just a password. This fivefold increase is telling as security professionals look to the passwordless future.
So, what does that mean in plain text? Well, this allows the end user to access resources in a seamless fashion without the need to remember a multitude of authentication credentials. For the security practitioner, this has the added value of drastically reducing tickets for simple tasks like password reset requests. Tickets of this nature can add up quickly and have a material impact on an organization. Passwordless authentication allows for a seamless user experience that reduces risk to the individual and the organization by removing the step of managing passwords from the user and allowing for automation to take up the mantle.
The data review for the report also uncovered that biometrics usage rose by more than 71 percent for authentication on mobile devices. Overall, the number of mobile phones with biometrics such as fingerprint and facial scanners implemented rose by 12 percent year over year.
Biometrics usage rose by more than 71 percent for authentication on mobile devices.
So, why is passwordless adoption on the rise? As a part of the report, we integrated the results of a global survey that was conducted with security professionals. We found that nearly half (46 percent) of respondents across all 10 countries said that security issues related to compromised credentials are the most frustrating or concerning aspect of dealing with passwords in their environment. The business case for a new way to ensure the security of the enterprise has been made clear.
The Trusted Access Report is an excellent tool security professionals can use to understand the global authentication landscape and empower them to build their business cases to better secure their environments. Moving their staff to MFA with an eye to a passwordless future will help reduce enterprise risk, reduce costs, and fundamentally give all involved a better night's sleep—unlike hiding that physical key under a rock.
Dave Lewis is a global advisory CISO at Cisco Security. He has 25+ years of experience in IT security operations and management, including a decade dealing with critical infrastructure security. He is the founder of the security site, Liquidmatrix Security Digest, and has written columns for Forbes, Daily Swig, Huffington Post, and several other publications.