How much did the March RSA security breach shake its customers' trust of the SecurID two-factor authentication tokens?
One survey indicates 44 percent of businesses are reevaluating their use of security tokens, with another 15 percent speeding up already planned evaluations of alternatives. In banking and financial services specifically, as many as 81 percent of respondents indicated that security concerns surrounding tokens have caused their organization to evaluate the use of out-of-band authentication, with 82% indicating their organization is likely to use phone-based authentication.
The survey, completed Sunday, was conducted by Overland Park, Kans.-based PhoneFactor, a multi-factor authentication provider that leverages phone-based authentication in lieu of traditional tokenization. More than 400 responded to the survey, which was sent in email to about 35,000 IT professionals across a variety of industries.
"Before the RSA security breach even occurred we were seeing an increase in interest around alternative means of multi-factor authentication," says Sarah Fender, VP of Marketing and Product Management for PhoneFactor.
While nearly all respondents were aware of the RSA SecurID breach, Fender says a primary reason for the survey was to drill down and see whether there was any call to action among companies to make a change.
"Although it’s still a bit unclear, frankly, what’s going to be necessary to fully mitigate against that breach, there is still some discussion about replacing already deployed security tokens out there," she says. "Particularly in the banking space we’re hearing about and seeing a lot of cutovers move over to other methods of multi-factor security."
Among the drivers for multi-factor authentication for banks is security, particular in the age of ZeuS trojans and man-in-the-middle attacks, Fender says, and out-of-band security is seen among banks as a main benefit of phone-based authentication. Further, Google's deployment of phone-based authentication has moved the cause forward.
"(The phone) is certainly something that we use for everything anymore," Fender adds. "The idea of using it for security is a natural extension of that."
PhoneFactor's survey did not specify whether institutions were looking at multi-factor solutions for use internally or for customer access. The survey was looking for plans to implement or discuss multi-factor security alternatives within the next two years.
"Multifactor authentication is a growing area, but we don’t expect to see that growth in demand affected by tokens," Fender says.