End users do not like using two-factor authentication (2FA) options, and that feeling is getting worse as the need for multi-factor authentication increases.https://o1.qnsr.com/log/p.gif?;n=203;c=204663295;s=11915;x=7936;f=201904081034270;u=j;z=TIMESTAMP;a=20410779;e=iIT decision makers told SecureAuth that three-quarters of their end users complain about having to use 2FA, with 10 percent saying they “hate” it. I get that frustration. While I have no problem with going through multiple steps to log in to certain applications, it can be inconvenient if I don’t have my cell phone handy for the authentication text or forget which security question/answer set goes with which website. Craig Lund, CEO and founder of SecureAuth, recognized that frustration, saying in a formal statement:
IT professionals face an ongoing battle as they are frequently forced to choose between user experience and increased security. This should be a false paradigm in 2017.
2FA isn’t the only thing that suffers from providing a smooth user experience over security. It’s a problem that also plagues the Internet of Things (IoT). Not only is security not baked into IoT devices, end users prefer to focus on the convenience and bypass the security. Think about it. Which is easier – using the default password that comes with a router or changing it? And if you do change it, how many of you focus on a new password that is really easy to remember rather something strong?
Yes, we like convenience over security, even when we know we should be smarter. According to an eSecurity Planet article, a study conducted by the University of Phoenix found that 52 percent of end users will overlook security if it means better accessibility, even when we know what those risks are. Should we expect 2FA to be any different?
A better authentication method, the folks at SecureAuth believe, is adaptive authentication, which the Identity Automation blog described this way:
It’s a method for selecting the right authentication factors depending on a user’s risk profile and tendencies - for adapting the type of authentication to the situation.
This makes a lot of sense to me, especially as behavioral analytics are being used more as a cybersecurity tool to customize the authentication for the situation. It appears that IT decision makers are interested in this method, as the SecureAuth study found that 37 percent of respondents are using adaptive authentication already, and another 16 percent plan to adopt it in the next year. As Lund stated:
Organizations are already implementing stronger methods of user authentication, including adaptive access control and multi-factor authentication. By layering adaptive techniques such as device recognition, geo-location, the use of threat services, and even behavioral biometrics, organizations can verify the true identity of the end user while still providing positive user experience.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba