Javelin Research “The State of Strong Authentication Report 2019” shows use of cryptographically-backed strong authentication has tripled since 2017

MOUNTAIN VIEW, Calif., JANUARY 22, 2019 — As data breaches and increasingly sophisticated phishing attacks continue to drive online account compromise and financial loss, organizations are finally stepping up and investing in stronger, phishing-resistant forms of authentication, Javelin Strategy & Research’s new “The State of Strong Authentication 2019” report has found.

The report, sponsored by the FIDO Alliance, analyzes the state of customer and enterprise (employee) authentication amongst U.S. businesses and draws conclusions on the role strong authentication is playing in protecting accounts and securing access to valuable data and critical systems.

The 30-page report is available for free download at https://fidoalliance.org/2019-strong-authentication-report/.

In the report, Javelin’s key findings and recommendations show:

  • Strong authentication implementations have grown dramatically since 2017. The number of organizations using cryptographically-backed strong authentication, where one of multiple authentication factors uses public key cryptography, has tripled since 2017 for consumer authentication and increased by nearly 50 percent for enterprise authentication in the same period. This form of authentication is not susceptible to phishing, man-in-the-middle and/or other attacks targeting credentials — which are known vulnerabilities with passwords and one-time passwords (OTPs).
  • Regulation is accelerating strong authentication adoption. Nearly 70 percent of businesses agree they face strong regulatory pressure to provide strong authentication for their customers. This is attributed to the introduction of PSD2, along with data protection regulations in the EU and U.S. states such as California.
  • Strong authentication holdouts are underestimating risks to their businesses and customers. Two-thirds of businesses that use only passwords to authenticate their employees do so because they believe passwords are “good enough” for the type of information they are protecting, despite cybercriminals’ continuing to target a wide variety of consumer and business information.
  • Not all strong authentication is created equal. According to Javelin, adopting strong authentication solutions that are based on standards and employ cryptographic security (like FIDO Authentication) can help organizations lower the cost of keeping up with regulation, customer expectations and increasingly sophisticated fraud schemes.
  • It’s time to sunset OTPs. With cyber criminals using social engineering, phone porting and malware to compromise OTP authenticators, Javelin recommends moving away from them and adopting cryptographically-backed strong authentication.

The report includes case studies from Google, Tradelink and Visa, all of which are leveraging FIDO Authentication to provide stronger protection for customer and employee accounts.

“The increase in strong authentication adoption makes sense given that while data breaches, phishing threats and regulatory pressures have risen, the financial and user experience costs associated with implementing strong authentication have decreased,” said Al Pascual, senior vice president and research director, Javelin Strategy & Research. “What’s less encouraging is that we are finding that the holdouts believe passwords alone are sufficient security. These companies need to realize that even data they may think is low-risk can provide significant value to fraudsters and expose them to regulatory scrutiny. As such, they need to make plans to move to strong authentication now or they will find themselves an attractive target for cybercriminals.”

“It’s great to see that organizations are recognizing that passwords, and even one-time-passcodes, do not provide sufficient protection against today’s threats,” said Brett McDowell, executive director, FIDO Alliance. “I hope this study helps to raise awareness of new cryptographically-backed authentication capabilities, compliant with industry standards from FIDO Alliance and W3C, now widely available in leading web and mobile app platforms. These capabilities enable applications to bind account credentials to the user’s physical device, so they cannot be phished by remote attackers. Platforms are packaging these security capabilities into more convenient experiences for users — allowing them to use their finger, face or security key to login to all of their favorite websites and applications.”

Those interested in taking a deep dive in “The State of Strong Authentication Report 2019” should attend a free webinar on February 7, 2019 at 10:00 a.m. PT/1:00 p.m. ET.

About the FIDO Alliance

The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

FIDO Alliance PR Contact
Megan Shamas
Montner Tech PR


FIDO Alliance addresses accuracy and bias in remote biometric identity verification technologies with first industry testing and certification program

Face Verification Certification launched to bring confidence to ID ecosystem among rising online identity theft…

Read More →

FIDO Alliance Releases New Design Guidelines for Optimizing User Sign-in Experience with Passkeys

May 29, 2024 – The FIDO Alliance today released new design guidelines to help accelerate…

Read More →

FIDO Taipei Workshop: Securing the Edge with FDO

[Watch the FIDO Taipei Workshop Recap Video] On April 24, 2024, the FIDO Alliance held…

Read More →

12362 Next