The shift to remote work in 2020 allowed many employers to maintain productivity and to offer workers more flexibility during the pandemic, but it also exposed businesses to unprecedented security risks.
Employees who previously had been connected to on-site private networks equipped with firewall protection began to share sensitive data on corporate networks remotely. The resulting surge prompted 80% of businesses across industries to increase their focus on identity security, according to a June survey. The increased emphasis did little to bolster employers’ faith in their ID security strategies, however, as confidence levels dropped precipitously from 49% to 32% year over year. Concerns were well-founded, as 77% of organizations in a September 2020 study reported an increase in the level of identity fraud since the pandemic began.
While employees continue to embrace working from home, their enthusiasm may not extend to the practice of good remote security practices. An October study reported that 95% of employees wanted to continue remote work indefinitely, yet an overwhelming share admitted to poor security practices, as 67% violated corporate policies in ways ranging from sending work documents with personal email addresses to sharing passwords or installing rogue applications. Sixty-nine percent of respondents said they used corporate devices for personal use, 57% allowed other household members to use their work devices and 82% of all remote workers said they reused passwords.
Remote work has made companies more vulnerable to cyberattacks, but the upside is that the virtual workplace is driving a growing number of firms to adopt innovative identity verification strategies led by multifactor authentication (MFA). The following Deep Dive looks at trends in digital ID verification in response to the move to remote work over the past year and a half. It also explains why the future of online verification likely will see MFA combined with newer, passwordless technologies to offer the greatest security and convenience.
Remote Work is Boosting MFA Adoption
Authentication factors used in ID verification usually consist of knowledge-based factors (such as passwords or PINs), possession-based factors (such as bank cards or mobile phones) and biometrics (such as fingerprints, facial scans or voiceprints). Other factors may include location and time.
Customer authentication has evolved over the past year. Traditional online safeguards have generally been knowledge-based, but data breaches and exposures affecting millions during the pandemic have highlighted these methods’ vulnerabilities to data theft by third parties. Knowledge-based authentication works in theory by asking users for answers to questions only they would know. However, data breaches already may have exposed this information. Many banks and other companies are increasing security measures by implementing MFA, which uses at least two different authentication factors to verify users’ identities.
Companies that once relied solely on usernames and passwords now routinely are adopting additional methods based on possession factors, such as sending one-time passcodes to confirm customers’ identities with the possession of their mobile devices. Consumers find biometric methods such as voice, face or fingerprint recognition increasingly convenient and acceptable when these options are available. Behavioral-based authentication takes biometrics’ convenience a step further by requiring no active input on their part. Research from Experian earlier this year showed that for the first time in four years, passwords are no longer consumers’ choice as the most secure authentication method, as physical biometrics, PIN codes sent to mobile devices and behavioral analytics now make up the top three spots.
An April study noted that MFA was the top security technology to be adopted by firms across industries in direct response to the pandemic, as 49% of firms have done so. Almost three-quarters of companies said they plan to increase spending on MFA, with even higher shares in the retail and financial services industries (80% and 81%, respectively). Half of all surveyed firms are boosting MFA spending by more than 10%, and half have restricted the use of usernames and passwords.
MFA proponents say the practice can discourage most hackers, and a 2019 Microsoft report found that MFA stopped 99.9% of these attempts. Detractors of the method insist that waiting for a second authentication or more can be slow and sometimes confusing for the less tech-savvy, however. Many experts are embracing the idea of fully passwordless security, combining biometric measures such as facial or retinal scans with secondary factors for the most user-friendly MFA approach. MFA will figure prominently in the future of online security one way or another, so companies would be wise to invest in these strategies now.