UK businesses are reluctant to let go of the security question as a form of verification, bucking a worldwide trend towards multi-factor authentication (MFA), a report has revealed.
While the global trend is for companies to move away from questions on birthplaces and relatives as verification methods, the practice is still the most common verification method and is increasing in use in the UK, according to identify and mobility management firm Okta.
Security questions asking for things like the user’s mother’s maiden name has declined by 14% worldwide since April 2014, but usage of such questions in the UK has increased by 17%, according to Okta’s inaugural Businesses @ Work Report.
Based on data compiled from the firm’s network of 4,000 pre-integrated applications and millions of daily authentications and verifications worldwide, the report details how businesses get work done and the preferences of IT leaders, employees and developers.
Due to the many data breaches and personal information leaks over the past few years, the report revealed that security is top of mind for businesses.
According to a report by Okta alliance partner Accenture, 51% of nearly 2,000 senior decision-makers questioned are concerned about security as a challenge for adopting digital technologies.
Okta’s data also shows that businesses are rapidly adding security measures to protect access to the sensitive data that employees are putting into cloud applications and services.
Further, the data revealed that businesses are moving towards authentication methods that are easy to use and more secure than security questions, which have proved to be fairly insecure because many of the answers to such questions can be found on social media or other online sources.
Cloud services driving MFA adoption
Businesses have traditionally protected virtual private network (VPN) gateways with a second factor to authenticate users, and as mission-critical infrastructure moves to the cloud, the report showed companies are also beginning to secure access with MFA.
“As organisations put more and more sensitive data in cloud-based apps – such as email content in Microsoft Office 365, sales data in Salesforce.com and employee information in Workday – companies increasingly bring on multi-factor authentication to ensure it’s only being accessed by approved stakeholders,” the report said.
Two-factor authentication (2FA) for all remote access services is key to defending against industrial and government cyber espionage groups, according to a Dell SecureWorks report unveiled at the BlackHat USA 2015 security conference in Las Vegas.
The Okta report said in 2015 there has been a 40% increase in adoption of MFA, which includes 2FA.
“As breaches continue to happen and enterprises look to meet compliance requirements, we expect the adoption of multi-factor authentication to continue,” the report said.
In addition to the fact that the answers to traditional security questions are easy to source online, the report said the adoption of MFA is being driven by cloud-based services.
Traditionally, MFA systems were purpose built for large enterprises, but cloud-based services are making the technology accessible to smaller companies, enabling similar adoption rates as their larger counterparts.
Large US-based companies are the biggest users of MFA, but smaller companies and businessess around the world are beginning to deploy MFA more broadly as the costs and risk of a data breach increase, the report said.
Security Assertion Markup Language
Although the UK is bucking the trend to move away from security questions, the report also showed that the UK is aligned with the rest of businesses worldwide in its increasing preference for text message (SMS) authentication systems.
Use of mobile text-based authentication has grown 8% globally in the past 15 months, while growth in the UK has been around 6%, the report said.
With companies starting to put a premium on security, developers are increasingly creating apps with the highly secure authentication mechanism Security Assertion Markup Language (SAML) baked in from the start.
According to the report, 19% of applications entered in the Okta Application Network today are SAML-enabled, a six-fold increase over the past two years.
Okta’s data showed a 614% growth in the past two years in enterprise applications built with SAML, which relies on single-use, expiring tokens to exchange authentication and authorisation data between a trusted identity provider and an application, and eliminates the need for people using the service to remember their usernames and passwords.
Businesses are rapidly adopting digital technologies, the report said, not just for their employees, but to provide value to their partners, engage their customers and add revenue streams.
Enterprises and customers are increasingly requesting independent software suppliers to use SAML because it is a far more secure way of authenticating users.
“What’s more, it’s becoming easier because cloud services are leveraging software to automate key exchanges, key management and new libraries that developers can drop into their apps,” the report said.