A survey has found an increasing amount of angst among users of security tokens for two-factor authentication technologies.
The survey, which was conducted by PhoneFactor, an Overland Park, Kan.-based company that sells tokenless, telephone-based two-factor authentication, found some organizations are considering other two-factor authentication options.
Of the 400 IT pros surveyed, 93% of respondents with current token deployments indicated they were aware of the RSA breach affecting SecurID tokens, which was disclosed in March. Of those, 44% are now re-evaluating their current use of tokens and another 15% are speeding up an already planned evaluation of token alternatives, according to the survey.
“If due to the RSA breach it becomes necessary to replace security tokens already deployed, 70% would prefer to replace them with an alternate two-factor method,” the PhoneFactor survey found.
RSA announced a serious breach of its systems affecting SecurID users on March 22. The company later confirmed the SecurID breach began with two waves of spear phishing attacks using an attached Microsoft Excel file, which targeted an Adobe Flash zero-day flaw. Sources close to RSA said it is unlikely all SecurID tokens will need replacing.
Even with the stolen data, security experts say an attacker would need a higher level of sophistication and some blind luck to hack into a firm using the SecurID technology. Data needed to pull off a successful attack is located on an encrypted management server at the customer’s location and each user creates a unique ID and PIN.
In addition, 96% of respondents to the PhoneFactor survey reported additional issues with token deployments. More than half said it placed a burden on IT resources and was inconvenient to end users.
Security experts say the kind of out-of-band technology used by PhoneFactor boosts security, but isn’t foolproof.
Multifactor authentication technologies have been popular in banking and financial services firms grappling with a rise in phishing and man-in-the-middle attacks targeting their customers. The technology is often used for customers doing high-value transactions. It is also being adopted by law enforcement and other sensitive government agencies. The survey found the RSA SecurID breach is unlikely to reduce the growth of the technology. Sixty-three percent of all respondents indicated they plan to increase use of other multifactor authentication methods over the next two years.
PhoneFactor’s out-of-band two-factor authentication technology uses a phone call or text message, rather than a token to provide a second factor. More than two-thirds (68%) of all respondents indicated they are likely to use phone-based authentication in the future.