Two-thirds (67 per cent) of large North American organizations have not implemented two-factor authentication for the partners and contractors that access their corporate network, according to a Symantec Corp. report.
The study which polled 306 large enterprises was conducted by Forrester Research Inc. on behalf of the security giant. The respondents included companies from both Canada and the U.S., with all of the companies employing at least a thousand people and 30 per cent of the organizations comprising more than 5,000 employees.
In addition to the lack of strong authentication for business partners, distributors and contract workers, Symantec found that 87 per cent of companies expected their users to remember two or more passwords to access corporate resources.
“About two thirds of companies had at least six different password policies in place,” said Atri Chatterjee, vice-president of user authentication at Symantec. He added that up to half of all IT help desk calls deal with password reset issues.
With more enterprise employees using their own devices to log into the corporate network, Symantec said the importance of access security has reached par with other areas such as firewall and network security. Most organizations are dealing with this problem, Chatterjee said, by creating large and cumbersome password policies.
“The reaction has been to make password policies more complex, but it has resulted in more difficulties for users,” he added.
Symantec said the move to two-factor authentication technologies, which forces employees to use a password in conjunction with a software or hardware token, is the most effective way to provide strong access control.
But while two-factor authentication is being used at the majority of large enterprises throughout North America, Chatterjee said the technology is only used on a limited basis.
“They roll it out to the finance department or senior management only,” he said, adding that large gaps in two-factor authentication deployment means organizations are only as strong as their “weakest link.”
To help enterprises, the security giant says it now offers two-factor authentication as a service that can run in the cloud. It also said it can roll out software tokens to all major smart phone brands.
Symantec’s report comes just a few weeks after EMC Corp. released its RSA SecureID Software Token for Android, which allows users to authenticate themselves on business apps using their Android-based smart phones.
When enterprise users are ready to log in to the corporate ERP system from their laptop, they can generate a one-time software token with their Android app that will enable them access. The passwords only last for 60 seconds and are rolled out via RSA’s Authentic Manager software.
Rachael Stockton, manager of product marketing at RSA, said this functionality was highly demanded by existing RSA customers as the growth of Android in the enterprise world continues at a rapid pace. She added that the ubiquity of the smart phone in general makes it a perfect fit to host a software authentication token.
“People don’t forget their smart phones, so it lowers the support calls,” Stockton said.