For full functionality of this publication it is necessary to enable Javascript.

In its most recent Cyberthreat Defense Report, CyberEdge Group noted that more than half of business security and IT leaders (52 percent) believe a successful cyber-attack is likely in the coming year, up from 39 percent in 2013.

Given all the news around the high number of large-scale data breaches that befell companies such as The Home Depot, Staples, Anthem Health, and Neiman Marcus in 2014, it’s not surprising. It’s also not surprising that many businesses feel helpless to defend against hackers, who, according to the report, managed to work their way into more than 70 percent of business data networks, up from 62 percent in 2013. 

While the problem is pervasive, and protecting against it is indeed a challenge, there are a number of basic, low-cost steps that companies can take to secure consumer data. 

Experts largely agree that a firewall—a network security system, either hardware- or software-based, that controls incoming and outgoing network traffic—should be the first line of defense against hackers and malicious software. Antivirus and antispyware software should make up the second line, scanning for and removing programs and code that can damage computers or compromise the valuable data they store.

The third line of defense should be multifactor authentication. Multifactor authentication is a security system that requires more than one method to verify a customer’s identity before allowing him to log in to an account, access information, or perform some other transaction. The goal of multifactor authentication is to create a layered defense; if one factor is compromised, the hacker still has at least one more barrier to breach before breaking into the system.

Multifactor authentication can involve any combination of the following elements:

• knowledge factors, such as user names or IDs, passwords, PINs, and the answers to secret questions; 
• possession factors—anything users must have in their possession, such as security tokens, one-time password tokens, key fobs, employee ID cards, or mobile phone SIM cards;
• inherence factors, also called biometric elements, such as retina scans, iris scans, fingerprints, vein patterns, facial recognition, voice recognition, and even hand and earlobe geometry;
• location factors—users’ current locations, based on GPS tracking of their smartphones or automatic number identification (more commonly known as caller ID), or, in the case of Web traffic, their IP addresses;
• time factors, such as verification of employee IDs against work schedules (also, a bank customer can’t physically use an ATM card in America and then in China 15 minutes later); and
• behavior factors, using analytics to understand users’ unique behaviors and flag activities that fall outside of normal patterns.

Larry Ponemon, founder and chairman of the Ponemon Institute, a provider of independent research on privacy, data protection, and information security policy, calls multifactor authentication “absolutely critical” for a secure customer experience. Not having it “is a recipe for disaster.”

“You need to authenticate on more than one platform,” Ponemon adds. “Passwords and security questions alone are not secure enough. Personal information is just too readily available, and the answers to the standard questions can be found out too easily.”

Thomas Loeser, a former federal cybercrime prosecutor who is now a partner at Seattle law firm Hagens Berman, agrees. “Multifactor authentication provides a huge advantage,” he says. “It prevents someone from gaining access to sensitive information just because he has a user name and password, which hackers can easily get.”

In 2014, 783 major data breaches in the United States potentially exposed hundreds of millions of customer records to hackers, according to information compiled by the Identity Theft Resource Center (ITRC). Many of them “could have been avoided with multifactor authentication,” Loeser states without hesitation.

Leslie Ament, senior vice president and principal analyst at Hypatia Research, called multifactor authentication “a highly necessary component in protecting customers from fraud as well as for managing business risk.”

Adoption Shortfalls

Multifactor authentication is not new, Loeser says, noting that it has been available for the past 20 years or so. Sadly, though, few firms outside of the financial services arena have adopted multifactor authentication, most data security professionals agree.

“Adoption is not where it should be, not at all,” says Bob Siegel, founder and CEO of Privacy Ref, a Boynton, Beach, Fla.–based privacy and security-consulting firm.

Ryan Wik, director of customer success at NuData Security, a Vancouver-based cybersecurity firm, calls the recent flurry of data breaches “a wake-up call” for companies that have typically relied on just one form of authentication to verify customers’ identities.

The majority of online banking and shopping applications, Wik says, still require only email addresses and passwords for users to log in to their accounts. 

But as more companies are faced with the harsh realities of cybercrime, adoption of multifactor authentication technology is bound to rise, industry experts predict.

Siegel just hopes it’s not too late. “People need to realize just how valuable customer data is,” he says. “Hopefully, it will happen sooner than later.”

Some research firm reports have estimated the current value of the multifactor authentication market at just slightly less than $2 billion. Market intelligence firm MarketsandMarkets expects it to reach $10.75 billion by 2020, growing at a rate of 19.98 percent compounded annually.

So far, of the firms that have adopted more than one factor for authentication, two seems to be the magic number, making up about 90 percent of all current deployments, according to MarketsandMarkets’ research.

Many financial firms and other organizations, including Google, Facebook, Microsoft, Twitter, and Apple, are already using two-factor authentication. 

One-time passwords and tokens have emerged as a preferred choice among firms that have adopted some form of multifactor authentication; they are considered very secure because the passwords they generate are only valid for a single session or transaction. In recent years, hardware tokens have been increasingly replaced by their software counterparts (soft tokens), which use either smartphone apps or the phones themselves to supply secret codes for authentication. 

Digital certificates based on public/private key cryptography are also an effective authentication mechanism. Public key techniques have been adopted in many areas of information technology, including network security, operating systems security, application data security, and digital rights management.

Piquing Interest

Enterprise mobility, virtualization, and cloud computing are among the major trends driving the multifactor authentication market forward. Government regulation is also likely to spur adoption. The Federal Financial Institutions Examination Council’s 2005 guidelines recommending multifactor authentication as a way to secure financial transactions online drove many financial services firms to adopt the technology.

Part of the expected growth can also be attributed to the rise of biometrics, such as voice, fingerprint, retina, and facial scanning. The MarketsandMarkets report found that all authentication methods using more than two factors included some form of biometric scanning.

Voice biometrics alone has been growing during the past couple of years. According to Opus Research, the industry closed 2013 with more than $165 million in sales. That figure is expected to more than triple, exceeding $584 million, by 2017, representing a 37.2 percent compound annual growth rate, Opus Research reports. 

Opus Research also identified approximately 150 voice biometric deployments worldwide already, with more than 70 million voiceprints on file. These voiceprints were provided voluntarily by customers, shattering the myth that customers don’t want the technology or are unwilling to enroll their voiceprints, Dan Miller, founder and lead analyst at Opus Research, points out.

The report identifies Nuance Communications, VoiceTrust, Auraya Systems, Agnitio, SpeechPro, and VoiceVault as industry leaders. 

Nuance has publicly stated that users of its technology currently store approximately 45 million voiceprints. Alexey Khitrov, president of SpeechPro, says versions of his company’s voice biometrics technology are currently being used in more than 70 countries around the world. 

Opus found that globally, voice biometrics was used primarily by companies in the telecommunications, financial services, retail, and travel industries. Other sectors that are finally playing catch-up include government, healthcare, insurance, education, and law enforcement.

Loeser fully endorses using physical features, such as voice or other biometric characteristics, as a factor for authentication. Most of all hacking, he says, is being done from overseas, in countries such as China, Russia, and North Korea. “It can’t be done with security that requires some kind of physical content,” he argues.

Ponemon identifies himself as “a big fan” of biometrics, saying it can be built into smartphones, laptops, and tablets “very easily today.”

Breaking Barriers

Many reasons exist for the slow uptake of multifactor authentication so far, but the real problem has been companies putting their own profits and customer convenience ahead of security. “There’s been a tug-of-war for a long time between making things more convenient for the end user and making them more secure,” Ponemon states.

Convenience and security do not have to be mutually exclusive, though, he argues. A company can, for example, use automatic number identification technology first to determine the validity of the phone number from which the caller is dialing. While the caller speaks to the interactive voice response (IVR) system or live agent, a voice biometrics engine can unobtrusively compare his voice with a stored voiceprint. If there is still some doubt as to the identity of the caller, a security question can follow.

“A lot of times, the customer does not even know [the company is] doing all of this,” Ponemon says. “They might only see one example, but there are other things the company is doing behind the scenes.”

With modern technology, “it is possible to make multifactor authentication as invisible to the end user as possible,” he adds.

A comprehensive solution will allow companies to effectively enforce the appropriate method of authentication across applications, endpoints, and deployment environments—whether on premises or in the cloud—without over-burdening end users, adds Monolina Sen, a senior analyst in ABI Research’s digital security practice. 

Also helping boost customer acceptance: The solutions available today are good at what they do. “From a consumer standpoint, what we have in place seems to be working well,” Siegel says.

The technology was most noticeable in the past when it failed, either generating a false positive that blocked access to an authorized individual or a false negative that allowed access to someone who should have been blocked, Ponemon maintains.

“This happens, but we’re seeing fewer and fewer instances of it as the technology gets better and better,” he says.

In the past, getting more than one form of authentication usually meant deploying solutions from multiple vendors, and this caused companies to delay adoption. But that, too, is starting to change as vendors combine authentication technologies into single product suites.

In June 2014, Sensory introduced TrulySecure, a combined voice and vision authentication solution for mobile phones, tablets, and PCs. TrulySecure brings together Sensory’s speaker verification, facial recognition, and biometric fusion algorithms. No special hardware is required; the solution uses the devices’ standard microphones and cameras. 

SpeechPro also offers one-product multifactor authentication through its VoiceKey line. SpeechPro VoiceKey.WebAccess, introduced in September, enables users to access Web applications, corporate networks, and online accounts simply by speaking short passphrases and by capturing pictures of their faces, all without having to type in passwords. 

VoiceKey.WebAccess uses a triple biometric accuracy process that combines speaker authentication, facial recognition, and a “liveness” test. The liveness test ensures there’s an actual person in front of the device, not a photo or an audio recording. The technology uses a combination of more than 70 voice features and more than 40 facial features to confirm the subject’s identity, and authentication takes only a few seconds.

Contact Solutions, through a partnership with Pindrop Security and IDology, also offers a multifactor solution to prevent contact center fraud. Called Adaptive Fraud Protection, it leverages Contact Solutions’ Red Flag technology to detect and tailor appropriate responses to suspicious activity in the IVR using real-time analytics. IDology’s ExpectID IQ is incorporated to provide automated knowledge-based authentication in which responses are verified in real time. And, lastly, Pindrop’s Phone Reputation Service contributes to the combined security solution with its real-time caller ID.

Not to be outdone, Authentify in March launched Authentify xFA SecureCallCenter to protect contact center agents from social engineering attempts. With the SecureCallCenter app, a user logs in to the institution’s mobile app and taps a contact center button. This triggers Authentify xFA’s biometric authentication sequence while a voice channel call is also placed to the contact center. After the user has been authenticated, the SecureCallCenter app connects the call and passes the end user’s contact and account information to a module at the contact center console. The module interprets the information for the console, enabling the information to be displayed to the next representative in the queue.

“This is a unique combination of security features where digital certificates, voice biometrics, and a fingerprint could be coupled for authenticating an inbound call,” said Alan Dundas, Authentify’s vice president of product architecture, in a statement. “There are 60,000 customer service representatives employed across just the top 20 call centers in the U.S. The majority of them are operated by financial services. If you saved each representative only five minutes a day on authentication tasks, that translates to 250,000 employee hours per week. The ROI is easy to measure.”

Cost-Benefit Analysis

As with most enterprise technology investments, cost is a pressing issue, especially for small and midsize firms and young start-ups. Thoughts there are starting to change as well. “There are costs associated with multifactor authentication,” Loeser says. “They’re not astronomical, but the technology does require some degree of financial commitment.”

“It used to be really expensive to put in [multifactor authentication]. There was a high cost associated with deployment and maintenance, but all that is changing now,” Ponemon says.

Additionally, the benefits far outweigh any costs, especially when compared to the damage caused by a data breach, Loeser contends. Those costs, he adds, “can be astronomical.”

When it comes to multifactor authentication, it’s important to determine which deployment methods and factors will best suit your organization. 

No matter which option the company chooses, though, Hypatia Research’s Ament recommends “assiduous” back-end integration and cross-organizational design. Then, she recommends, authentication methods should be deployed consistently across channels and modes. Customers don’t care that companies have selected different tools for the e-commerce and contact center channels, she points out.

And, then, it helps to keep in mind that no system is 100 percent foolproof, but that doesn’t mean that companies shouldn’t try. “It doesn’t take much to provide multifactor authentication. It might make it a little slower to get data out of the system, but it’s definitely worth it,” Loeser says.  

News Editor Leonard Klie can be reached at lklie@infotoday.com.