A recently published study shows that the use of strong authentication in enterprise environments is at a very low level. John Tolbert explains this finding to Matthias and together they discuss how to find a way out of this situation.
Great to have you. And this is the first of two episodes that we are doing around a topic of cyber security which has been around for quite some time, but it's still not yet used in the way that we would expect it to be. Let's start with MFA. How is the level of adoption currently in, especially when it comes to enterprise use cases?
You know, I think that's a really interesting question. And, you know, we have recently seen a paper that was published by Microsoft. It's a survey of MFA or multifactor authentication adoption at the enterprise level and looking specifically at what they see for Azure and it's kind of interesting. You're right. You know, we have been talking about multifactor authentication for many, many years now and the number of usage is surprisingly low. You know, it's 22%. So, you know, around one fifth of enterprises are using multifactor authentication. And, you know, given the emphasis on the number of news stories that we've seen in recent years around things, you know, as disparate as ransomware attacks on enterprises that are leveraging credentials to various kinds of fraud, you know, especially account takeover fraud, insider risks, data exfiltration. Many of these... most of us in the industry have been recommending multi-factor authentication as, you know, achieve means for remediating these kinds of risks. So to see that the adoption rate is down at 22% is very surprising. Certainly would expect a higher rate of utilization than that. And I think, you know, we in industry need to continue to communicate the need for MFA and also to talk about, you know, the variety of different kinds of multifactor authenticators that are out there and how they might be useful for different kinds of enterprises
Right. Does that mean that organizations are not adequately executing some kind of risk assessments or comparing the price to spend for introducing MFA versus the risk that comes with it? When there is a breach, when there's no MFA.
You know, it may mean a decision about risk and maybe a decision about, you know, user convenience as well. You know, I think you know, from our consumer world, we are all familiar with what MFA tends to mean, you know, with getting an SMS text and then having to enter it somewhere else. And, you know, it's not very convenient. And actually that's kind of fraught with security problems of its own. But, you know, there are alternatives in the enterprise space especially that can bring together both, you know, a good user experience as well as improved security and maybe that's the message that we really should focus on, you know, to try to encourage MFA adoption.
Right. So but how can we spread the message apart from the research that we do?
Well, research is one good way. You know, we do review a lot of different products that are out there. We can certainly talk about and help people with their journeys on to password-less and risk-based authentication. You know, we are looking forward about a month from now for our EIC, the European Identity and Cloud Conference, where there will be a pretty good focus, of course, on identity subjects and authentication in particular. And we even have a section called MFA Usage in the Enterprise. So on that panel, we're going to talk to practitioners about MFA adoption in the enterprise and talk about some of the different kinds of options that are out there and how well or not they're working for those who will be there on the panel.
Great. Good to hear that. So it really is, the first stop would be our website going to kuppingercole.com and learning more about MFA. Second is joining us at EIC virtually or in person from the 10th to the 13th of May in Berlin for the EIC. And the third could be get in touch with us and get support in form of advisory. So thank you very much, John, for raising that topic, because I think it's really important that this level of security is raised because just having a fifth of the enterprises being capable of using MFA, this is just not adequate for 2022. And looking forward to our second episode with another topic where the adoption could also be much better. Thank you very much John, for being my guest today.
How can we help you