IAM Sprint: Multi-Factor Authentication
30 April, 2024, by Natasha Free
IAM Sprint: Multi-Factor Authentication
The vulnerability of passwords is well understood. In fact, an oft-quoted statistic states that 80% of breaches are password related. Fortunately, one of the best solutions to this problem is also one of the most efficient – the introduction of an additional authentication step.
Multi-Factor Authentication (MFA) can be simple and straightforward. But it is reliant on ensuring you choose the most appropriate method of securing that second step and that you do not impinge on usability. The key is to ensure that users do not perceive any additional friction in their logon journey.
What will you use to verify that additional authentication step? This will depend on your business model and what works best for your users. Smartphones are now ubiquitous but are not always appropriate for each user type.
This sprint will reveal how you can best leverage MFA to make your business systems more secure.
The Warm-Up
To lay the groundwork for your MFA roll-out you will need to consider the following:
Where is your greatest risk of exposure?
Determining your current risk posture will involve a conversation with your risk management team (or equivalent). They will confirm if there are any regulatory or compliance requirements for your industry that you need to consider and where your biggest risks lie. Factors that determine your exposure to risk include having a high number of remote workers or a requirement for secure access to data in the cloud.
Employee or consumer?
There may well be a recognised (and pressing) business requirement or risk that will dictate which user community your address first but, in general, your consumer community will be an easier sell to the powers that be. Consumers generally have their own smartphone device, and their authentication journeys are much more straightforward than those that employees have to endure.
How ‘computer literate’ is your user group?
This may seem an odd question in the second decade of the twenty-first century. However, it is well documented, if not widely acknowledged, that there are user groups who either do not have the means or the inclination to be part of the information ‘revolution’. Should they be denied access to your services? You may find yourself in legal hot water if you do deny them access. Therefore, consider how you might provide alternative means of continuing to do business with your organisation for those users for whom a Multi-Factor Authentication mechanism will seem like a barrier.
What device?
If you are to use the ‘something you have’ approach to stronger authentication then you need to think carefully about what that thing actually is. Despite the ubiquity of smartphones, you may have users who do not own one or who will be reluctant to use a personal one for work purposes. Therefore, will you issue devices? And if so, you will need to consider how to handle lost devices and how a user should be able to reset their second factor.
OTP or authenticator app?
OTP to SMS or email is not as secure (or reliable) as the use of an authenticator application, which should be encouraged, if possible. Some of the ‘big players’ who provide an authenticator application include Microsoft, Google, IBM, and Duo and they mostly operate and behave in a similar way that is intuitive for end users.
Allow choice?
Some users, particularly the more tech savvy will welcome being able to choose which authentication method they use for their second factor. Tools such as IBM Security Verify allows administrators to open up (or limit) a wide range of possible MFA mechanisms including the use of FIDO2 devices such as Windows Hello.
Biometrics?
This is a an interesting one as currently people may still be sceptical about sharing biometric data. If you decide to go down this path, then you will need to understand where the data would be stored and how it would be accessed. If you are relying on the use of personal devices, you will need to consider whether your users have a device compatible with using this technology.
The Sprint
Now you have answered the questions above, what subset of users did you choose for your sprint? Often, IT managers will start with remote workers or those accessing high risk applications.
Tools like IBM Security Verify allow you to pilot with a clearly defined subset. The wizard-based setup will allow you to tailor the user authentication journey in line with the points considered above. Defining a policy enforcement rule is simply a matter of selecting your user community, picking the application they are attempting to access, and presenting them with a list of appropriate MFA methods to help them fulfil their authentication requirements.
But policy definitions can go much further than this. You can create a policy that will take a context-based approach to enforcing MFA. For example, if a user is attempting to access a critical application from a trusted device, on a trusted network, you may decide that MFA is not required and adding friction to the user journey is unnecessary. If the user, however, is using an unknown device in a geographical location that is outside your normal jurisdictions, then you probably want to mandate a stronger level of authentication.
The days of having to code this logic are no more. Point-and-click operations are all that are required to implement your policies.
And there’s more. Existing access management systems can play nicely with your MFA provider. In other words, you can deploy MFA capability to your legacy applications and give them a modern authentication mechanism without the need to completely rip out your existing access management service.
Providing you’ve managed to get all the answers you needed in the ‘warm-up’, your MFA tool of choice should be capable of doing all the heavy lifting when it comes to configuring your policies and workflows.
The Warm-Down
Your sprint will have been a success and now is the time to consider to whom you next rollout your service or for which applications you want to add an additional layer of protection.
If you’re feeling really confident (and why wouldn’t you), then setting up adaptive access controls is a logical next step. Not only is this flexible but it enables a better user experience. Adaptive access controls look at a number of contextual parameters and automatically make a decision based on predefined criteria such as geography, IP routing, time of day, device, behaviour.
In short, a context and risk-based approach to introducing friction to the logon journey can be appropriate. Removing friction when you are confident that the context suggests low risk will be greatly appreciated by your end users. If the user is presenting a scenario that is the same as every day for the last six months, then it’s highly likely they are who they say they are and it is low risk to allow them to go about their business without further interruption.