With thousands of breaches happening every year, an often touted way of reducing the risk of corporate accounts and the like being compromised is through the implementation of multi-factor authentication (MFA).
However it’s often not implemented, with a sort of ‘granny’s advice’ situation becoming apparent where good advice is readily available, yet we continue to ignore it. So what is MFA? Why would we want to deploy it? Is it a hard thing to get off the ground in an organisation?
We posed some questions on MFA to Chris Webber, Senior Director of Product Management at Centrify to help shed light on a measure that’s widely praised but rarely used.
- What is MFA and what are the forms of authentication companies can use in tandem to implement it?
MFA is Multi-factor Authentication, meaning that a given user has to present multiple “factors” to prove their identity. These factors can be:
- Something you have – examples include: a physical card, a one-time–password token, or a smartphone, for example
- Something you know – examples include: a PIN, a password, or the answer to a personal question
- Something you are – examples include: a fingerprint, a retina scan, your voice
We are most familiar with MFA when it comes to our personal finances. In most of the world, we present our card (a thing we have) and a PIN (a thing we know) to approve a transaction, or withdraw cash. Without the combination of both factors, we can’t access our money.
- Why is it important?
By requiring multiple factors for access – we make it much harder for attackers. Today, attackers have no problem compromising passwords – whether by social engineering tactics that trick folks into giving the password up, or by “brute-force” password cracking with powerful computers.
By including a second factor, like a smartphone, we make it much harder for these attackers. They might be able to steal a password, but unless they also have access to the specific smartphone that also belongs to a users, they can’t gain access. Again – much like the person that might know your financial PIN, but doesn’t have you card.
- Why is single factor authentication not enough?
Password-based security has failed. In 2014 billions of passwords were compromised. In 2015, millions more were added to that total. It’s safe to say that the attackers have all of our passwords. We need something more between them, and our sensitive data.
- Do you expect MFA to become an industry standard? Or is it to be a long struggle?
When you combine the advances in policy-based, adaptive, MFA, and the reality of recent data breach and compromised credentials, businesses have both the technology and the urgency to drive MFA in the near-term.
- What puts companies off implementing MFA?
MFA is not new, and security practitioners have long been calling for it. But until now, it was costly and complex to implement, and was too much of a burden for average users, since it lacked contextual policy that only prompted for extra factors under appropriate circumstances. Instead it was “all or nothing” and didn’t work well for most people.
- Is there a ‘good practice’ for the implementation of MFA?
Requiring multiple factors is the right thing to do – but if it’s too cumbersome, as it has been in the past, companies won’t adopt it. The best practice is to allow easy access when it makes sense – when it’s a user we know, from a device we trust, on a network we recognise, for example. But when we see a new device, or get an access request from a strange location or network, then it’s time to prompt for additional authentication.
This is “Adaptive authentication,” and security folks now have the ability to apply the right level of security, based on policy, across all users – without clunky dedicated hardware tokens, or constant user prompting.
Image source: Shutterstock/Lim Yong Hian