Multi-factor Authentication Methods
Identifying that your organization needs to enforce a multi-factor authentication is the first step in finding a solution. The information that is behind your portal is protected for a reason and prevents unauthorized users from gaining access to your data. This can open a can of worms though when it comes to pinpointing the right fit and the right authentication method to meet your company’s and employees’ needs.
Your environment may be as simple as 50 users operating only on desktop computers or as complex as thousands of users operating independently all over the world. These two drastically different scenarios need different solutions, so when looking inward towards your needs, there may even be a need to have contrasting multi-factor solutions within a company. In the modern workforce, this is very common; some users may only work on-premises, while others are operating on their own personal equipment at home.
Types of MFA Methods
Within a multi-factor authentication solution, organizations cannot enable a “one-size fits all” approach and establish the same multi-factor authentication methods for each of their users. While some users may prefer PINs, other employees especially those who administer more classified data may be required to use a stronger method like biometrics.
Regardless, these are the most common types of multi-factor authentication methods that organizations enable:
The most common form of authentication, and certainly served a purpose prior to the days of our devices storing critical data. The most recent effort to improve password security has been to deploy complex 16-character passwords in hopes of making them harder to hack. Yet this causes too much friction for the end user and causes them to write the password down in an area they can easily reference, thus breaking down the security process. Here’s the bottom line with passwords: IBM, Microsoft and many other IT leaders have declared the password as dead and urge their customers to find an alternative.
Easier to use and maintain than passwords, but still offer the lowest level of security. Another issue the organization must consider is overall cost. There are guidelines that recommend that the organization must pay for the employees’ phone and service if they are asked to use the device to conduct company business.
One-Time-Passcodes (OTP) add an extra step into the password/PIN scenario, but it’s a small cost for the gains in security and upkeep. Delivered by app, token or SMS message, OTP delivers a time-sensitive, single use code for every login action. Because each code is unique and generated by the system, there is no need to remember or update long strings of characters and they are much more difficult to steal. Modern phishing techniques have decreased the security community’s confidence in OTP sent over SMS channels, but the app and token options are considered viable if a bit cumbersome.
More secure than something you know; a secure smart card is something you have. An MFA system secured with a card is safe from remote hacking and phishing attacks, since it requires an actual physical card to be present at the point of login. With contactless card technology widely available, a simple tap can be all it takes to use this factor for login, but since it is a physical object, it can still be lost, stolen or shared, weakening the assurance that a login is in fact the authorized user associated with the card. Another issue with cards is cost, which tends to sneak up on the organization as replacing cards becomes costly and inconvenient.
Tokens, like cards, are something you have. With a small form factor and a wide variety of configurations, tokens can bring multifactor authentication to desktop and mobile channels with ease. A USB token just needs to be plugged into a device, and a wireless token might only need to be in close enough proximity to a device for it to vouch for a user’s identity. Just like cards, however, tokens can be lost, stolen and shared, and each compromised object costs a business money, administrative labor and time to replace. Tokens also inhibit workflow and add a layer of friction.
Keys that store user passwords offer another alternate method for authentication. Users can use their password key on multiple devises. One of the issues with keys is they store all the personal / private passwords on the key itself. If your key gets in the hands of an unauthorized user, they have open access to all your password protected websites, files and applications. Cost also becomes an issue, as replacement costs due to loss or theft compound over time.
Biometric authentication has long been heralded as the epitome of best practices for authentication security. The why of the matter stems from the core understanding behind the concept: a person can be accurately and uniquely identified by individual physical and/or behavioral traits. Simply put: nobody else is you. Over the years, biometrics has become a staple in the authentication sphere, and the technology has seen numerous leaps and innovations to become even more accessible to the everyday consumer. These days, biometrics act as an alternative to the ever-dreaded password, as well as a secondary factor for ensuring the right people are accessing privileged resources.
Fingerprint readers are the most common form of biometrics in the consumer-facing market today. From cellphones to shared kiosks, fingerprint biometrics have been around long enough to see both sides of the usability spectrum. For many users, the idea of using a separate device – even in a ‘shared’ environment – is simply too much. Luckily, multiple consumer-friendly biometrics options are available to choose from.
Modern MFA Approaches
In a recent article, on vice.com, a hacker was able to leverage a business text messaging service and for a mere $16 take over the victim’s phone number and intercept all their SMS messages. These messages included those with OTPs for gaining access to secure accounts. With little effort, the hacker was able to access the victim’s Bumble, Postmates, and WhatsApp accounts, among others. There was no indication to the victim that the phone had been hacked.
On the other side, both employees and customers can become sources of cyber risk to an organization, as they resist, avoid, and refuse to adopt MFA methods. Circumventing authentication and using poor security practices can be a top threat to an organization. For example, according to Gartner, Inc. in their 2020 Authentication Market Guide, one of the most common authentication approaches, leveraging the user’s mobile phone, is impractical for up to 15% of employees and 50% of customers. In other words, it is not a feasible option. This is due to their work environment, lack of cell phone reception, or even an adverse reaction to using a personal device for business purposes.
Here are three recommendations for making sure your MFA strategy is ready for the future:
- Apply advanced authentication approaches: this includes the use of contextual authentication and step-up authentication to be able to strike a better balance between security and convenience. Bringing in the context of the access request or the type of application being accessed can not only make it more difficult for cybercriminals to gain access, but also reward employees and customers when they are requesting access appropriately. For example, changing the type of authentication methods that are required based on a user’s geolocation can make it difficult for overseas cybercriminals to fake an authorized access request. At the same time, an employee who is requesting access from their usual spot, their home office location, may have fewer authentication “hoops” to jump through.
- Flexible Options are Essential: and one thing is for sure, that if your MFA strategy creates friction for your employees and customers, they can become a risk to your business very quickly. One thing to make sure you have is multiple methods of authentication, but also that you are able to give the individual users options at the time they are requesting access. For example, if you have your security policy setup for them to login with a phone-based method and they forget their phone that day, what options do they have to still log in? Setting up a few different methods for each user to choose from, controlled by a security policy, is now the best practice to achieve that flexibility.
- Include Biometrics: while biometrics are still being adopted by many organizations all indications are that they are quickly becoming a “must-have” as part of your MFA strategy. With the attacks on phone-based methods and the hassle of many methods such as hardware tokens, biometrics has become the most convenient and secure method according to recent research by Raconteur. Compared to passwords and other forms of authentication, 43% of IT professionals report that biometrics (thumbprint) is “completely secure”. With nothing to carry, nothing to remember, and the fact that they cannot be shared amongst users, including biometrics as an authentication method is critical to future-proof your MFA strategy.
See the State of Multi-factor Authentication
With multi-factor authentication being more common in many institutions, more organizations are looking to implement MFA into their own to mitigate security risks. However, implementing MFA is easier said than done, and many schools may have a hard time finding a solution that works for them. Therefore, we have developed an in-depth MFA survey that determines how organizations manage security, authentication, and see decision makers’ attitudes toward various authentication methods including Zero Trust for education, passwordless approaches, and biometrics.