May 8, 2019 By Diana Kightlinger 3 min read

Most of us have accepted that passwords are an insecure form of authentication — and, worse still, downright clunky. But that triggers a question: If passwords aren’t the answer, what is? For now, the answer may be multifactor authentication (MFA).

Multifactor Authentication Adds a Critical Layer of Defense

MFA uses any combination of two or more factors to authenticate identity and keep vital assets secure from fraudulent access. By now, we’ve all used two-factor authentication (2FA) online to authorize a login or transaction by combining a password with an SMS code sent to our mobile device. If one factor is compromised, the system is still secure.

Three main factors can be put into play to confirm identity:

  • Something you have — a physical item such as a bank card, key fob or USB stick.
  • Something you know — a “secret” such as a password or PIN.
  • Something you are — a biometric factor such as fingerprints, voice, iris scans and other physical characteristics.

The standards for how to combine these factors and use them to authenticate identity depend on the entity implementing them. In certain industries, MFA is even required to meet compliance mandates. For example, the Payment Card Industry Data Security Standard (PCI DSS) requires MFA for identity and access management in specific circumstances — such as remote access to a cardholder data environment that originates from outside the network or admin access to the data environment from within the trusted network.

Context Is the Key to Seamless Employee Access Management

More and more organizations are considering always-on MFA for every application and IT system, but that’s almost always too cumbersome. If employees have to wait for an SMS code to reach their phone every time they want to access an application, user buy-in will be low. A more effective approach to securing the enterprise involves methods to reduce the burden of action on the user as much as possible, and prioritizing the apps that truly require 2FA based on sensitivity and risk of compromise.

Even where MFA is warranted, nonintrusive risk-based or contextual authentication can make it less frustrating for users. Nonintrusive authentication factors include device fingerprinting, geolocation, IP and device reputation and mobile network operator data. Some threat intelligence platforms, such as the IBM X-Force Exchange, already provide this information to third-party applications and solutions.

These elements add context to the user and device for a transaction and help quantify the risk level of each operation. If the risk is too great, then additional authentication is required. For instance, if a user in New York logs in to the corporate network via her desktop, you may not require MFA; but if a user in Hong Kong tries to access an app via an unknown network using an unrecognized device, you definitely want to add authentication measures.

In addition, platforms that integrate with fraud detection technologies and unified endpoint management (UEM) tools help reduce the need for user-driven MFA and provide helpful context about the user’s risk level to determine the need for additional layers of authentication. Such platforms empower organizations to manage and secure all the many ways employees connect when they’re mobile, such as smartphones, laptops, wearables and even internet of things (IoT) devices. An open platform also makes integration with existing apps and infrastructure straightforward.

The Security-Convenience Balance Is Shifting for Consumers

MFA may be fine for employees, who can be required to use whatever authentication mechanism their organization chooses. But what about consumers? Companies have traditionally weighed security versus convenience, always emphasizing the latter out of fear that customers would balk at extra steps to protect personal data.

However, this conventional wisdom may no longer be true as we’re seeing an increased level of acceptance and familiarity with multifactor authentication from the general population. In fact, as the “IBM Future of Identity Study 2018” showed, consumers have become more familiar and accepting of MFA, especially when it comes to money-related applications and social media. Depending on the age group, the type of MFA preferred varies, with the younger generation much more comfortable with mobile device technology and biometric methods or tokens rather than passwords.

Companies could find the optimal solution is to give users a choice among various authentication options, whether that’s one-time passcodes or fingerprint readers. Risk-based approaches similar to those for employees can also be used in access scenarios for consumers. As the potential harm from abnormal activity rises, so can the number of authentication factors required.

MFA Solutions Must Keep Pace With External Factors

Methods for MFA are continually changing as vulnerabilities arise, technology evolves and the dominant players increasingly come from the millennial and Gen Z populations. New MFA approaches must replace cumbersome logins with intriguing, high-tech possibilities. Smart companies will stay flexible and adaptive by utilizing a cloud platform that updates with the latest methods.

In addition, choosing an MFA policy/method can be treated like a data driven experiment — security leaders should look to platforms that allow them to monitor the success rates of their authentication methods. The methods and policies you implement today won’t and shouldn’t be permanent. Gathering data continuously will help you devise multifactor authentication strategies that provide the optimal security, convenience and sophistication for your employees, customers and organization.

More from Identity & Access

Taking the complexity out of identity solutions for hybrid environments

4 min read - For the past two decades, businesses have been making significant investments to consolidate their identity and access management (IAM) platforms and directories to manage user identities in one place. However, the hybrid nature of the cloud has led many to realize that this ultimate goal is a fantasy. Instead, businesses must learn how to consistently and effectively manage user identities across multiple IAM platforms and directories. As cloud migration and digital transformation accelerate at a dizzying pace, enterprises are left…

“Authorized” to break in: Adversaries use valid credentials to compromise cloud environments

4 min read - Overprivileged plaintext credentials left on display in 33% of X-Force adversary simulations Adversaries are constantly seeking to improve their productivity margins, but new data from IBM X-Force suggests they aren’t exclusively leaning on sophistication to do so. Simple yet reliable tactics that offer ease of use and often direct access to privileged environments are still heavily relied upon. Today X-Force released the 2023 Cloud Threat Landscape Report, detailing common trends and top threats observed against cloud environments over the past…

Artificial intelligence threats in identity management

4 min read - The 2023 Identity Security Threat Landscape Report from CyberArk identified some valuable insights. 2,300 security professionals surveyed responded with some sobering figures: 68% are concerned about insider threats from employee layoffs and churn 99% expect some type of identity compromise driven by financial cutbacks, geopolitical factors, cloud applications and hybrid work environments 74% are concerned about confidential data loss through employees, ex-employees and third-party vendors. Additionally, many feel digital identity proliferation is on the rise and the attack surface is…

X-Force certified containment: Responding to AD CS attacks

6 min read - This post was made possible through the contributions of Joseph Spero and Thanassis Diogos. In June 2023, IBM Security X-Force responded to an incident where a client had received alerts from their security tooling regarding potential malicious activity originating from a system within their network targeting a domain controller. X-Force analysis revealed that an attacker gained access to the client network through a VPN connection using a third-party IT management account. The IT management account had multi-factor authentication (MFA) disabled…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today