May 8, 2019 By Diana Kightlinger 3 min read

Most of us have accepted that passwords are an insecure form of authentication — and, worse still, downright clunky. But that triggers a question: If passwords aren’t the answer, what is? For now, the answer may be multifactor authentication (MFA).

Multifactor Authentication Adds a Critical Layer of Defense

MFA uses any combination of two or more factors to authenticate identity and keep vital assets secure from fraudulent access. By now, we’ve all used two-factor authentication (2FA) online to authorize a login or transaction by combining a password with an SMS code sent to our mobile device. If one factor is compromised, the system is still secure.

Three main factors can be put into play to confirm identity:

  • Something you have — a physical item such as a bank card, key fob or USB stick.
  • Something you know — a “secret” such as a password or PIN.
  • Something you are — a biometric factor such as fingerprints, voice, iris scans and other physical characteristics.

The standards for how to combine these factors and use them to authenticate identity depend on the entity implementing them. In certain industries, MFA is even required to meet compliance mandates. For example, the Payment Card Industry Data Security Standard (PCI DSS) requires MFA for identity and access management in specific circumstances — such as remote access to a cardholder data environment that originates from outside the network or admin access to the data environment from within the trusted network.

Context Is the Key to Seamless Employee Access Management

More and more organizations are considering always-on MFA for every application and IT system, but that’s almost always too cumbersome. If employees have to wait for an SMS code to reach their phone every time they want to access an application, user buy-in will be low. A more effective approach to securing the enterprise involves methods to reduce the burden of action on the user as much as possible, and prioritizing the apps that truly require 2FA based on sensitivity and risk of compromise.

Even where MFA is warranted, nonintrusive risk-based or contextual authentication can make it less frustrating for users. Nonintrusive authentication factors include device fingerprinting, geolocation, IP and device reputation and mobile network operator data. Some threat intelligence platforms, such as the IBM X-Force Exchange, already provide this information to third-party applications and solutions.

These elements add context to the user and device for a transaction and help quantify the risk level of each operation. If the risk is too great, then additional authentication is required. For instance, if a user in New York logs in to the corporate network via her desktop, you may not require MFA; but if a user in Hong Kong tries to access an app via an unknown network using an unrecognized device, you definitely want to add authentication measures.

In addition, platforms that integrate with fraud detection technologies and unified endpoint management (UEM) tools help reduce the need for user-driven MFA and provide helpful context about the user’s risk level to determine the need for additional layers of authentication. Such platforms empower organizations to manage and secure all the many ways employees connect when they’re mobile, such as smartphones, laptops, wearables and even internet of things (IoT) devices. An open platform also makes integration with existing apps and infrastructure straightforward.

The Security-Convenience Balance Is Shifting for Consumers

MFA may be fine for employees, who can be required to use whatever authentication mechanism their organization chooses. But what about consumers? Companies have traditionally weighed security versus convenience, always emphasizing the latter out of fear that customers would balk at extra steps to protect personal data.

However, this conventional wisdom may no longer be true as we’re seeing an increased level of acceptance and familiarity with multifactor authentication from the general population. In fact, as the “IBM Future of Identity Study 2018” showed, consumers have become more familiar and accepting of MFA, especially when it comes to money-related applications and social media. Depending on the age group, the type of MFA preferred varies, with the younger generation much more comfortable with mobile device technology and biometric methods or tokens rather than passwords.

Companies could find the optimal solution is to give users a choice among various authentication options, whether that’s one-time passcodes or fingerprint readers. Risk-based approaches similar to those for employees can also be used in access scenarios for consumers. As the potential harm from abnormal activity rises, so can the number of authentication factors required.

MFA Solutions Must Keep Pace With External Factors

Methods for MFA are continually changing as vulnerabilities arise, technology evolves and the dominant players increasingly come from the millennial and Gen Z populations. New MFA approaches must replace cumbersome logins with intriguing, high-tech possibilities. Smart companies will stay flexible and adaptive by utilizing a cloud platform that updates with the latest methods.

In addition, choosing an MFA policy/method can be treated like a data driven experiment — security leaders should look to platforms that allow them to monitor the success rates of their authentication methods. The methods and policies you implement today won’t and shouldn’t be permanent. Gathering data continuously will help you devise multifactor authentication strategies that provide the optimal security, convenience and sophistication for your employees, customers and organization.

More from Identity & Access

Passwords, passkeys and familiarity bias

5 min read - As passkey (passwordless authentication) adoption proceeds, misconceptions abound. There appears to be a widespread impression that passkeys may be more convenient and less secure than passwords. The reality is that they are both more secure and more convenient — possibly a first in cybersecurity.Most of us could be forgiven for not realizing passwordless authentication is more secure than passwords. Thinking back to the first couple of use cases I was exposed to — a phone operating system (OS) and a…

Obtaining security clearance: Hurdles and requirements

3 min read - As security moves closer to the top of the operational priority list for private and public organizations, needing to obtain a security clearance for jobs is more commonplace. Security clearance is a prerequisite for a wide range of roles, especially those related to national security and defense.Obtaining that clearance, however, is far from simple. The process often involves scrutinizing one’s background, financial history and even personal character. Let’s briefly explore some of the hurdles, expectations and requirements of obtaining a…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today