Most of us have accepted that passwords are an insecure form of authentication — and, worse still, downright clunky. But that triggers a question: If passwords aren’t the answer, what is? For now, the answer may be multifactor authentication (MFA).

Multifactor Authentication Adds a Critical Layer of Defense

MFA uses any combination of two or more factors to authenticate identity and keep vital assets secure from fraudulent access. By now, we’ve all used two-factor authentication (2FA) online to authorize a login or transaction by combining a password with an SMS code sent to our mobile device. If one factor is compromised, the system is still secure.

Three main factors can be put into play to confirm identity:

  • Something you have — a physical item such as a bank card, key fob or USB stick.
  • Something you know — a “secret” such as a password or PIN.
  • Something you are — a biometric factor such as fingerprints, voice, iris scans and other physical characteristics.

The standards for how to combine these factors and use them to authenticate identity depend on the entity implementing them. In certain industries, MFA is even required to meet compliance mandates. For example, the Payment Card Industry Data Security Standard (PCI DSS) requires MFA for identity and access management in specific circumstances — such as remote access to a cardholder data environment that originates from outside the network or admin access to the data environment from within the trusted network.

Context Is the Key to Seamless Employee Access Management

More and more organizations are considering always-on MFA for every application and IT system, but that’s almost always too cumbersome. If employees have to wait for an SMS code to reach their phone every time they want to access an application, user buy-in will be low. A more effective approach to securing the enterprise involves methods to reduce the burden of action on the user as much as possible, and prioritizing the apps that truly require 2FA based on sensitivity and risk of compromise.

Even where MFA is warranted, nonintrusive risk-based or contextual authentication can make it less frustrating for users. Nonintrusive authentication factors include device fingerprinting, geolocation, IP and device reputation and mobile network operator data. Some threat intelligence platforms, such as the IBM X-Force Exchange, already provide this information to third-party applications and solutions.

These elements add context to the user and device for a transaction and help quantify the risk level of each operation. If the risk is too great, then additional authentication is required. For instance, if a user in New York logs in to the corporate network via her desktop, you may not require MFA; but if a user in Hong Kong tries to access an app via an unknown network using an unrecognized device, you definitely want to add authentication measures.

In addition, platforms that integrate with fraud detection technologies and unified endpoint management (UEM) tools help reduce the need for user-driven MFA and provide helpful context about the user’s risk level to determine the need for additional layers of authentication. Such platforms empower organizations to manage and secure all the many ways employees connect when they’re mobile, such as smartphones, laptops, wearables and even internet of things (IoT) devices. An open platform also makes integration with existing apps and infrastructure straightforward.

The Security-Convenience Balance Is Shifting for Consumers

MFA may be fine for employees, who can be required to use whatever authentication mechanism their organization chooses. But what about consumers? Companies have traditionally weighed security versus convenience, always emphasizing the latter out of fear that customers would balk at extra steps to protect personal data.

However, this conventional wisdom may no longer be true as we’re seeing an increased level of acceptance and familiarity with multifactor authentication from the general population. In fact, as the “IBM Future of Identity Study 2018” showed, consumers have become more familiar and accepting of MFA, especially when it comes to money-related applications and social media. Depending on the age group, the type of MFA preferred varies, with the younger generation much more comfortable with mobile device technology and biometric methods or tokens rather than passwords.

Companies could find the optimal solution is to give users a choice among various authentication options, whether that’s one-time passcodes or fingerprint readers. Risk-based approaches similar to those for employees can also be used in access scenarios for consumers. As the potential harm from abnormal activity rises, so can the number of authentication factors required.

MFA Solutions Must Keep Pace With External Factors

Methods for MFA are continually changing as vulnerabilities arise, technology evolves and the dominant players increasingly come from the millennial and Gen Z populations. New MFA approaches must replace cumbersome logins with intriguing, high-tech possibilities. Smart companies will stay flexible and adaptive by utilizing a cloud platform that updates with the latest methods.

In addition, choosing an MFA policy/method can be treated like a data driven experiment — security leaders should look to platforms that allow them to monitor the success rates of their authentication methods. The methods and policies you implement today won’t and shouldn’t be permanent. Gathering data continuously will help you devise multifactor authentication strategies that provide the optimal security, convenience and sophistication for your employees, customers and organization.

More from Identity & Access

CISA, NSA Issue New IAM Best Practice Guidelines

4 min read - The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) recently released a new 31-page document outlining best practices for identity and access management (IAM) administrators. As the industry increasingly moves towards cloud and hybrid computing environments, managing the complexities of digital identities can be challenging. Nonetheless, the importance of IAM cannot be overstated in today's world, where data security is more critical than ever. Meanwhile, IAM itself can be a source of vulnerability if not implemented…

4 min read

The Importance of Accessible and Inclusive Cybersecurity

4 min read - As the digital world continues to dominate our personal and work lives, it’s no surprise that cybersecurity has become critical for individuals and organizations. But society is racing toward “digital by default”, which can be a hardship for individuals unable to access digital services. People depend on these digital services for essential online services, including financial, housing, welfare, healthcare and educational services. Inclusive security ensures that such services are as widely accessible as possible and provides digital protections to users…

4 min read

What’s Going On With LastPass, and is it Safe to Use?

4 min read - When it comes to password managers, LastPass has been one of the most prominent players in the market. Since 2008, the company has focused on providing secure and convenient solutions to consumers and businesses. Or so it seemed. LastPass has been in the news recently for all the wrong reasons, with multiple reports of data breaches resulting from failed security measures. To make matters worse, many have viewed LastPass's response to these incidents as less than adequate. The company seemed…

4 min read

Cybersecurity in the Next-Generation Space Age, Pt. 3: Securing the New Space

8 min read - View Part 1, Introduction to New Space, and Part 2, Cybersecurity Threats in New Space, in this series. As we see in the previous article of this series discussing the cybersecurity threats in the New Space, space technology is advancing at an unprecedented rate — with new technologies being launched into orbit at an increasingly rapid pace. The need to ensure the security and safety of these technologies has never been more pressing. So, let’s discover a range of measures…

8 min read