May 8, 2019 By Diana Kightlinger 3 min read

Most of us have accepted that passwords are an insecure form of authentication — and, worse still, downright clunky. But that triggers a question: If passwords aren’t the answer, what is? For now, the answer may be multifactor authentication (MFA).

Multifactor Authentication Adds a Critical Layer of Defense

MFA uses any combination of two or more factors to authenticate identity and keep vital assets secure from fraudulent access. By now, we’ve all used two-factor authentication (2FA) online to authorize a login or transaction by combining a password with an SMS code sent to our mobile device. If one factor is compromised, the system is still secure.

Three main factors can be put into play to confirm identity:

  • Something you have — a physical item such as a bank card, key fob or USB stick.
  • Something you know — a “secret” such as a password or PIN.
  • Something you are — a biometric factor such as fingerprints, voice, iris scans and other physical characteristics.

The standards for how to combine these factors and use them to authenticate identity depend on the entity implementing them. In certain industries, MFA is even required to meet compliance mandates. For example, the Payment Card Industry Data Security Standard (PCI DSS) requires MFA for identity and access management in specific circumstances — such as remote access to a cardholder data environment that originates from outside the network or admin access to the data environment from within the trusted network.

Context Is the Key to Seamless Employee Access Management

More and more organizations are considering always-on MFA for every application and IT system, but that’s almost always too cumbersome. If employees have to wait for an SMS code to reach their phone every time they want to access an application, user buy-in will be low. A more effective approach to securing the enterprise involves methods to reduce the burden of action on the user as much as possible, and prioritizing the apps that truly require 2FA based on sensitivity and risk of compromise.

Even where MFA is warranted, nonintrusive risk-based or contextual authentication can make it less frustrating for users. Nonintrusive authentication factors include device fingerprinting, geolocation, IP and device reputation and mobile network operator data. Some threat intelligence platforms, such as the IBM X-Force Exchange, already provide this information to third-party applications and solutions.

These elements add context to the user and device for a transaction and help quantify the risk level of each operation. If the risk is too great, then additional authentication is required. For instance, if a user in New York logs in to the corporate network via her desktop, you may not require MFA; but if a user in Hong Kong tries to access an app via an unknown network using an unrecognized device, you definitely want to add authentication measures.

In addition, platforms that integrate with fraud detection technologies and unified endpoint management (UEM) tools help reduce the need for user-driven MFA and provide helpful context about the user’s risk level to determine the need for additional layers of authentication. Such platforms empower organizations to manage and secure all the many ways employees connect when they’re mobile, such as smartphones, laptops, wearables and even internet of things (IoT) devices. An open platform also makes integration with existing apps and infrastructure straightforward.

The Security-Convenience Balance Is Shifting for Consumers

MFA may be fine for employees, who can be required to use whatever authentication mechanism their organization chooses. But what about consumers? Companies have traditionally weighed security versus convenience, always emphasizing the latter out of fear that customers would balk at extra steps to protect personal data.

However, this conventional wisdom may no longer be true as we’re seeing an increased level of acceptance and familiarity with multifactor authentication from the general population. In fact, as the “IBM Future of Identity Study 2018” showed, consumers have become more familiar and accepting of MFA, especially when it comes to money-related applications and social media. Depending on the age group, the type of MFA preferred varies, with the younger generation much more comfortable with mobile device technology and biometric methods or tokens rather than passwords.

Companies could find the optimal solution is to give users a choice among various authentication options, whether that’s one-time passcodes or fingerprint readers. Risk-based approaches similar to those for employees can also be used in access scenarios for consumers. As the potential harm from abnormal activity rises, so can the number of authentication factors required.

MFA Solutions Must Keep Pace With External Factors

Methods for MFA are continually changing as vulnerabilities arise, technology evolves and the dominant players increasingly come from the millennial and Gen Z populations. New MFA approaches must replace cumbersome logins with intriguing, high-tech possibilities. Smart companies will stay flexible and adaptive by utilizing a cloud platform that updates with the latest methods.

In addition, choosing an MFA policy/method can be treated like a data driven experiment — security leaders should look to platforms that allow them to monitor the success rates of their authentication methods. The methods and policies you implement today won’t and shouldn’t be permanent. Gathering data continuously will help you devise multifactor authentication strategies that provide the optimal security, convenience and sophistication for your employees, customers and organization.

More from Identity & Access

Another category? Why we need ITDR

5 min read - Technologists are understandably suffering from category fatigue. This fatigue can be more pronounced within security than in any other sub-sector of IT. Do the use cases and risks of today warrant identity threat detection and response (ITDR)? To address this question, we work backwards from the vulnerabilities, threats, misconfigurations and attacks that IDTR specializes in providing visibility into. As identity threat detection and response (ITDR) technology evolves, one of the most common queries we get is: “Why do we need…

Access control is going mobile — Is this the way forward?

2 min read - Last year, the highest volume of cyberattacks (30%) started in the same way: a cyber criminal using valid credentials to gain access. Even more concerning, the X-Force Threat Intelligence Index 2024 found that this method of attack increased by 71% from 2022. Researchers also discovered a 266% increase in infostealers to obtain credentials to use in an attack. Family members of privileged users are also sometimes victims.“These shifts suggest that threat actors have revalued credentials as a reliable and preferred…

Passwords, passkeys and familiarity bias

5 min read - As passkey (passwordless authentication) adoption proceeds, misconceptions abound. There appears to be a widespread impression that passkeys may be more convenient and less secure than passwords. The reality is that they are both more secure and more convenient — possibly a first in cybersecurity.Most of us could be forgiven for not realizing passwordless authentication is more secure than passwords. Thinking back to the first couple of use cases I was exposed to — a phone operating system (OS) and a…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today