Many companies have been slow to implement multifactor authentication because of concerns of inconveniencing users. "Even financial companies have issues with this," said Luis Corrons, technical director of security vendor PandaLabs.
"Talking to their security teams, they usually have brilliant ideas to implement in order to reduce identity theft," Corrons said. However, concerns about annoying customers and fears about them going to a competitor often slow down such ideas, he said.
"Single factor authentication is something from the last century," Corrons said. By now most companies should have moved at least to two-factor authentication, especially considering the widespread use of mobile devices.
Even so, getting away from passwords entirely is not going to be easy, he said. "There is a lot of work we have to do first to educate users about the great security issue we have if we keep using single passwords to protect our data," he said. Companies also have to figure out new multi-factor authentication systems that both improve security and don't harm the usability.
"User ID and password are like a lock and key -- they keep the honest and casual bad guy out," said Ron Gula, CEO at Tenable.
While they can be effective, a lot depends on the strength of the password, Gula said. "Every year we see 'Password,' 'Password1' and '12345' in the top of the weak password study lists," Gula noted. "We can design a lot of technological controls, but the weak link is still the user. If they choose poor passwords, and poor online hygiene, like using the same password on multiple sites, then the network protection is only as strong as its weakest password."