The 2017 State of Authentication report highlights the increasing risks associated with weak passwords and the rise in data breaches, emphasizing the need for more robust authentication methods. The report, sponsored by the FIDO Alliance, explores the current state of authentication in the U.S. and advocates for high-assurance strong authentication incorporating public key cryptography. It identifies key vulnerabilities in existing authentication technologies and the importance of integrating stronger methods to enhance security against unauthorized access.

1. All Rights Reserved | FIDO Alliance | Copyright 20171
JAVELIN RESEARCH
2017 STATE OF
AUTHENTICATION REPORT
AL PASCUAL, JAVELIN STRATEGY & RESEARCH
BRETT MCDOWELL, FIDO ALLIANCE

2. All Rights Reserved | FIDO Alliance | Copyright 20172
INTRODUCTION TO THE
FIDO ALLIANCE
BRETT MCDOWELL, EXECUTIVE DIRECTOR,
FIDO ALLIANCE

3. All Rights Reserved | FIDO Alliance | Copyright 20173
AUTHENTICATION IS OUR BIGGEST PROBLEM

4. All Rights Reserved | FIDO Alliance | Copyright 20174
Data breaches in
2016 that involved
weak, default, or
stolen passwords1
Increase in
phishing attacks
over the number of
attacks recorded
in 20152
Breaches in 2016,
a 40% increase
over 20153
1Verizon 2017 Data Breach Report |2Anti-Phishing Working Group | 3Identity Theft Resource Center 2016
81%
65%
1,093
OVER 80% OF OUR PROBLEM

5. All Rights Reserved | FIDO Alliance | Copyright 20175
>250 ORGANIZATIONS SOLVING THE PROBLEM TOGETHER
+ SPONSOR MEMBERS + ASSOCIATE MEMBERS + LIAISON MEMBERS

6. All Rights Reserved | FIDO Alliance | Copyright 20176
THE MISSION: SIMPLER & STRONGER
AUTHENTICATION
SECURITY
USABILITY
Poor Easy
WeakStrong =authentication
open standards for
simpler, stronger
authentication
using public key
cryptography

7. All Rights Reserved | FIDO Alliance | Copyright 20177
STATUS: FIDO-ENABLED SERVICES
>3 BILLION
AVAILABLE TO PROTECT
ACCOUNTS WORLDWIDE

8. All Rights Reserved | FIDO Alliance | Copyright 20178
STATUS: FIDO CERTIFIED PRODUCTS
32
62
74
108
162
216
253
304
343
363
383
Apr-15 Jul-15 Sep-15 Dec-15 Mar-16 May-16 Aug-16 Dec-16 May-17 Jul-17 Oct-17

9. All Rights Reserved | FIDO Alliance | Copyright 20179
BUSINESSES’ STATE OF AUTHENTICATION 2017
Still use only
passwords for
authentication1
Are using
passwords + SMS
OTPs1
Offer high-
assurance strong
authentication1
1Javelin Strategy & Research, 2017 State of Authentication Report
“IT’S TIME TO SET A NEW YARDSTICK WITH WHICH TO MEASURE STRONG
AUTHENTICATION METHODS, WITH THE STRONGEST DEEMED ‘HIGH ASSURANCE’,” -
AL PASCUAL, JAVELIN STRATEGY & RESEARCH, OCTOBER 2017
>50%
25%
ONLY 5%

10. All Rights Reserved | FIDO Alliance | Copyright 201710
JAVELIN RESEARCH
2017 STATE OF
AUTHENTICATION REPORT
AL PASCUAL, SENIOR VICE PRESIDENT AND
RESEARCH DIRECTOR, JAVELIN STRATEGY &
RESEARCH

11. METHODOLOGY
• This study, sponsored by FIDO, explores the current state of authentication in the U.S.,
including the evolution and use of strong authentication to secure customer accounts
and enterprise systems against unauthorized access.
• Business survey data in this report is based primarily on information collected in two
surveys fielded in February 2017:
 An online survey of 200 businesses with authenticated customer online or mobile
portals.
 An online survey of 200 businesses with authenticated employee portals.
• Additionally, in-depth interviews were conducted with industry executives in roles
influencing enterprise authentication policies.
• The whitepaper was independently produced by Javelin Strategy & Research. Javelin
maintains complete independence in its data collection, findings, and analysis.
Research Study
All Rights Reserved | FIDO Alliance | Copyright 201711

12. THERE IS NO BULLETPROOF SINGLE FACTOR
Authentication Examples
Technology Factor Key Vulnerabilities
Password Knowledge Theft or guessing, and replay
Security Questions Knowledge Theft or guessing, and replay
Hard Tokens Possession Interception and replay, or theft
SMS-based OTP Possession Interception and replay
Smartcard Possession Physical theft
Facial Recognition Inherence Image capture and reuse
Fingerprint Scanning Inherence Image capture and reuse
All Rights Reserved | FIDO Alliance | Copyright 201712

13. WHAT IS STRONG AUTHENTICATION?
Traditional Strong Authentication
Synonymous with multifactor authentication (MFA), this interpretation is still broadly promoted as a
best practice (e.g., FFIEC, PCI DSS, PSD2 SCA, NIST, etc.).
Multifactor authentication involves the use of two or more factors of authentication for a
transaction so that if any one factor is compromised, a supplemental factor can be relied upon to
reduce the risk of unauthorized access.
High-Assurance Strong Authentication
This form of strong authentication uses multiple factors in which at least one of those factors
involves the use of PKI, which helps to mitigate the most common authentication vulnerability —
the chance that a secret is intercepted or stolen and subsequently replayed .
Such individual solutions would include smart cards, security keys, and FIDO-enabled biometric
authenticators.
Exploring the Definition
All Rights Reserved | FIDO Alliance | Copyright 201713

14. KNOWLEDGE (FACTOR) IS SUPREME IN THE ENTERPRISE
Authentication technology used in the enterprise
All Rights Reserved | FIDO Alliance | Copyright 201714

15. WEAK AUTHENTICATION PERVADES THE ENTERPRISE
Type of authentication use, enterprise applications
All Rights Reserved | FIDO Alliance | Copyright 201715

16. INTEGRATION, EASE OF USE, AND COST TOP
CONSIDERATIONS FOR ENTERPRISE AUTHENTICATION
Most important attributes when considering enterprise authentication
to use
All Rights Reserved | FIDO Alliance | Copyright 201716

17. USE OF TRADITIONAL STRONG AUTH IS MORE
POPULAR WITH CUSTOMERS THAN EMPLOYEES
Type of authentication used, overall customer and enterprise
All Rights Reserved | FIDO Alliance | Copyright 201717

18. All Rights Reserved | FIDO Alliance | Copyright 201718
HIGHER RISK CUSTOMER-FACING AUTHENTICATION
SOLUTIONS ARE PERVASIVE ACROSS CHANNELS
Authentication technology used in the enterprise

19. All Rights Reserved | FIDO Alliance | Copyright 201719
REGULATED INDUSTRIES FAVOR TRADITIONAL
STRONG AUTHENTICATION
Type of customer authentication used, by industry

20. All Rights Reserved | FIDO Alliance | Copyright 201720
THE EFFECT ON CUSTOMER LOYALTY IS A UNIVERSAL
TOP CONSIDERATION
Top considerations for customer authentication, by industry

21. All Rights Reserved | FIDO Alliance | Copyright 201721
WHEN TO USE HIGH-ASSURANCE STRONG AUTHENTICATION
To bolster authentication after a breach.
Supplement and possibly replace knowledge factor solutions. In the event of a breach,
businesses would do well to layer additional, high-assurance authentication solutions
simultaneously with their remediation plan.
As a differentiator when emphasizing the value proposition with
prospective clients.
Using high-assurance strong authentication is both an effective preventative measure and
a message to prospects and clients that they are safe doing business with a vendor.
When it counts within the enterprise.
Anything internet-facing and internal systems that are attractive targets for insider
threats should have high-assurance strong authentication.

22. All Rights Reserved | FIDO Alliance | Copyright 201722
QUESTIONS?
Al Pascual,
Javelin Strategy
& Research
Brett McDowell,
FIDO Alliance

23. All Rights Reserved | FIDO Alliance | Copyright 201723
DOWNLOAD THE FULL REPORT
https://fidoalliance.org/2017-state-authentication-report/