Remember the emergence of Shadow IT and Bring-Your-Own-Device (BYOD)? Both are born out of the friction created when an organization’s desire to secure applications and information directly conflicts with employee desires for ease-of-use, productivity, and just plain control of their own devices.
In the case of Shadow IT, if existing company tools and policies are too restrictive or clunky, departments or employees will use unvetted, cloud-based tools to get the job done without the knowledge of the IT team. Similarly, BYOD refers to the practice of employees using personal devices to access work files and applications. While the policies that result in these work-arounds may have been implemented with the best intentions in mind, the unintended consequences make organizations less secure.
Employees do not generally set out to create security headaches for their employers. It is a natural human behavior to seek out the path of least resistance when working towards a goal or directive. The employee behavior is not that surprising when you think about it purely in terms of day-to-day problem-solving, but organizations can be slow to recognize when their tools and policies are encouraging it. Afterall, it’s hard to admit something is not working as well as it should after you’ve put so much time, money and resources into trying to make it work.
Now think about the dynamic of traditional multi-factor authentication. The name itself makes organizations automatically feel safer - the more an employee needs to authenticate, across multiple devices, the less the risk of having bad actors go undetected, right? In theory, that is true. But it only works if employees can do so without creating friction that interferes with their productivity. If they are not bought in on adopting and complying with the behavior that is being asked of them by their employer, they will find an easier way, or at least definitely try.
We recently conducted a survey with hundreds of IT professionals via Pulse that underscores the conflicting dynamic associated with traditional multi-factor authentication in the enterprise. We found that 47% of employees reported having to authenticate themselves up to three times a day, and 52% report having to authenticate themselves between 4-10+ times a day.
Each time they have to authenticate, they are likely trying to access an application that is critical to getting business done. The authentication is creating a barrier between the employee and the task - friction. The more they have to authenticate, the higher the friction. Not only that, but each authentication introduces the possibility of having a technical issue associated with the access request. 62% of respondents noted that between 10-50% of help desk tickets are password or MFA related.
So, beyond the friction associated with the multiple requests to authenticate, more friction is created each time the authentication fails. Every password or MFA ticket submitted to IT represents lost productivity, therefore lost revenue. In addition to the lost revenue, 43% of respondents said their organizations spend up to $25k annually on help desk tickets regarding MFA and password requests and 58% report spending between $25k - $100k+.
In summary, employees are interrupted multiple times a day to authenticate and re-authenticate, are frequently submitting help desk tickets related to password and MFA issues, and organizations are knowingly suffering lost productivity and incurring additional costs. However, when asked “how happy are you with your current multi-factor authentication provider,” 65% ranked their satisfaction four or five (5 being the happiest).
Does this disconnect sound familiar? Do organizations have the will to remove authentication friction before it’s too late, or is re-authentication the gateway to the new Shadow IT? According to our survey, only some IT pros are starting to recognize the issue.
At Acceptto, our mission is to remove friction from the authentication process to achieve higher employee adoption, reduce costs and improve security. If you don’t want to get caught off guard when you find out your authentication policies are being bypassed, do something about it.
Try our Passwordless Continuous Authentication HERE