Most of us have accepted that passwords are an insecure form of authentication — and, worse still, downright clunky. But that triggers a question: If passwords aren’t the answer, what is? For now, the answer may be multifactor authentication (MFA).

Multifactor Authentication Adds a Critical Layer of Defense

MFA uses any combination of two or more factors to authenticate identity and keep vital assets secure from fraudulent access. By now, we’ve all used two-factor authentication (2FA) online to authorize a login or transaction by combining a password with an SMS code sent to our mobile device. If one factor is compromised, the system is still secure.

Three main factors can be put into play to confirm identity:

  • Something you have — a physical item such as a bank card, key fob or USB stick.
  • Something you know — a “secret” such as a password or PIN.
  • Something you are — a biometric factor such as fingerprints, voice, iris scans and other physical characteristics.

The standards for how to combine these factors and use them to authenticate identity depend on the entity implementing them. In certain industries, MFA is even required to meet compliance mandates. For example, the Payment Card Industry Data Security Standard (PCI DSS) requires MFA for identity and access management in specific circumstances — such as remote access to a cardholder data environment that originates from outside the network or admin access to the data environment from within the trusted network.

Context Is the Key to Seamless Employee Access Management

More and more organizations are considering always-on MFA for every application and IT system, but that’s almost always too cumbersome. If employees have to wait for an SMS code to reach their phone every time they want to access an application, user buy-in will be low. A more effective approach to securing the enterprise involves methods to reduce the burden of action on the user as much as possible, and prioritizing the apps that truly require 2FA based on sensitivity and risk of compromise.

Even where MFA is warranted, nonintrusive risk-based or contextual authentication can make it less frustrating for users. Nonintrusive authentication factors include device fingerprinting, geolocation, IP and device reputation and mobile network operator data. Some threat intelligence platforms, such as the IBM X-Force Exchange, already provide this information to third-party applications and solutions.

These elements add context to the user and device for a transaction and help quantify the risk level of each operation. If the risk is too great, then additional authentication is required. For instance, if a user in New York logs in to the corporate network via her desktop, you may not require MFA; but if a user in Hong Kong tries to access an app via an unknown network using an unrecognized device, you definitely want to add authentication measures.

In addition, platforms that integrate with fraud detection technologies and unified endpoint management (UEM) tools help reduce the need for user-driven MFA and provide helpful context about the user’s risk level to determine the need for additional layers of authentication. Such platforms empower organizations to manage and secure all the many ways employees connect when they’re mobile, such as smartphones, laptops, wearables and even internet of things (IoT) devices. An open platform also makes integration with existing apps and infrastructure straightforward.

The Security-Convenience Balance Is Shifting for Consumers

MFA may be fine for employees, who can be required to use whatever authentication mechanism their organization chooses. But what about consumers? Companies have traditionally weighed security versus convenience, always emphasizing the latter out of fear that customers would balk at extra steps to protect personal data.

However, this conventional wisdom may no longer be true as we’re seeing an increased level of acceptance and familiarity with multifactor authentication from the general population. In fact, as the “IBM Future of Identity Study 2018” showed, consumers have become more familiar and accepting of MFA, especially when it comes to money-related applications and social media. Depending on the age group, the type of MFA preferred varies, with the younger generation much more comfortable with mobile device technology and biometric methods or tokens rather than passwords.

Companies could find the optimal solution is to give users a choice among various authentication options, whether that’s one-time passcodes or fingerprint readers. Risk-based approaches similar to those for employees can also be used in access scenarios for consumers. As the potential harm from abnormal activity rises, so can the number of authentication factors required.

MFA Solutions Must Keep Pace With External Factors

Methods for MFA are continually changing as vulnerabilities arise, technology evolves and the dominant players increasingly come from the millennial and Gen Z populations. New MFA approaches must replace cumbersome logins with intriguing, high-tech possibilities. Smart companies will stay flexible and adaptive by utilizing a cloud platform that updates with the latest methods.

In addition, choosing an MFA policy/method can be treated like a data driven experiment — security leaders should look to platforms that allow them to monitor the success rates of their authentication methods. The methods and policies you implement today won’t and shouldn’t be permanent. Gathering data continuously will help you devise multifactor authentication strategies that provide the optimal security, convenience and sophistication for your employees, customers and organization.

More from Identity & Access

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

An IBM Hacker Breaks Down High-Profile Attacks

On September 19, 2022, an 18-year-old cyberattacker known as "teapotuberhacker" (aka TeaPot) allegedly breached the Slack messages of game developer Rockstar Games. Using this access, they pilfered over 90 videos of the upcoming Grand Theft Auto VI game. They then posted those videos on the fan website Gamers got an unsanctioned sneak peek of game footage, characters, plot points and other critical details. It was a game developer's worst nightmare. In addition, the malicious actor claimed responsibility for a…

What is the Future of Password Managers?

In November 2022, LastPass had its second security breach in four months. Although company CEO Karim Toubba assured customers they had nothing to worry about, the incident didn’t inspire confidence in the world’s leading password manager application. Password managers have one vital job: keep your sensitive login credentials secret, so your accounts remain secure. When hackers compromise these software applications, the entire industry of identity and access management (IAM) takes notice. As an alliance of tech giants leads a global push…

Beware of What Is Lurking in the Shadows of Your IT

This post was written with contributions from Joseph Lozowski. Comprehensive incident preparedness requires building out and testing response plans that consider the possibility that threats will bypass all security protections. An example of a threat vector that can bypass security protections is “shadow IT” and it is one that organizations must prepare for. Shadow IT is the use of any hardware or software operating within an enterprise without the knowledge or permission of IT or Security. IBM Security X-Force responds…