Aberdeen Group have researched the use of usernames and passwords in business, and have found that many organizations are learning more about the benefits of deploying strong user authentication to increase the level of assurance for online identities as part of an overall approach to securing access to information and managing risk.

The research indicates the 98 percent of the organizations surveyed relied on usernames and passwords for authenticating end users to control access to systems, networks, data and applications. However, nearly half of these businesses have deployed t least one stronger, non-password method of user authentication.

The majority of those surveyed have all taken steps to ensure passwords are strong, for example: Requirements for length (71 percent), complexity (62 percent) and frequency of change (36 percent); Restrictions on reuse (58 percent), and; Exclusion of standard dictionary terms (55 percent).

Although these steps ensure security is enhanced, it is also cumbersome for end-users. Passwords that are complex are often difficult to remember and if you have multiple passwords floating around in your head, it could be easy to get locked out of your system. Traditional methods of storing password include writing it down, which compromises security and relying on a central password database, which if hacked could compromise your entire business. Current research indicates that about nine out of 10 (88 percent) enterprise users have multiple work-related passwords.

To create a more secure environment, Aberdeen Group has put together three distinct strategic approaches:

The first approach is to implement user authentication methods that are deemed most appropriate for each application and end-user population. An organization might use hardware tokens for administrative access to privileged accounts, digital certificates for employee remote access over VPN, and heuristic, risk-based scoring for online access by external customers. Management of these systems would traditionally be done independently.

A second approach is to strive towards a common user authentication method for all applications and end-user populations. An example of this is a U.S. federal government agency that issues smart cards in compliance with HSPD-12.

A third approach is to move towards a common user authentication infrastructure that can manage multiple user authentication methods. The same example can be used of a company that deploys hardware tokens, digital certificates, and heuristic, risk-based scoring for different populations and purposes. The difference in this case is that the company could implement a common back end to create and enforce policies, and to manage authentication credentials more consistently over their life cycle.

Most of the top-performing organizations have currently deployed at least one strong user authentication method in addition to user name/password, and almost half have deployed two or more strong authentication methods, replacing existing solutions with interoperable, more cost-effective alternatives.

The research demonstrates that passwords continue to be a problem, and that a rich diversity of strong authentication alternatives will continue to be available in the market. Organizations that deploy at least one strong authentication method should make an informed choice based on their own unique balance of preferences and solution attributes.