The latest survey from the DTI into the IT security of UK businesses has revealed that firms could be making themselves more vulnerable by using software-based two-factor authentication rather than hardware tokens.

Software tokens, where a small file is placed on a user's computer, have been adopted by many firms as a relatively cheap way of increasing security. Telecoms and technology companies are the highest adopters.

But Chris Potter, the partner at PricewaterhouseCoopers who compiled the survey, told vnunet.com that in some cases such systems led to more identity theft not less.

"Two-factor authentication is the most popular form of control, but there's a little bit of a sting in the tale," he said.

"Organisations that had software tokens had a higher incidence of break-ins than those that had no two-factor system.

"One reason could be that organisations implement stronger security once breached, but the other possible reason is that software tokens provide limited security and people may feel they are totally covered."

Potter explained that the levels of identify fraud fall back to normal when hardware tokens were used.

Tim Pickard, vice president of international marketing at RSA Security, said: "I haven't has access to this report but it doesn't ring true to me.

"There are some very large organisations that use software tokens and they don't suffer those levels of breaches. Our experience is that breaches going up is a relatively small possibility."

The survey identified three elements to a successful identity management system: strong, ideally two-factor, authentication; single sign on; and automated user provisioning.

Companies using all three elements suffered negligible identity fraud, according to Potter, but only one in every 100 companies is this well protected.

Two-factor is the most popular form of identity management, but 80 per cent of the 1,000 companies surveyed are still using passwords alone to provide access rights.

Overall the level of identity fraud stayed relatively constant, due in part to increased security precautions. Among large companies there was a small increase.

When such fraud did occur, it tended to have a worse impact than any other type of security breach, particularly in terms of reputation damage, adverse media coverage and cost of remediation.

Several small businesses reported direct losses of £10,000 - £50,000 as a result of fraud.