Are Your Users Ready For A Friction-Free MFA Experience?
31 May, 2022, by James Mowbray
"81% of data breaches result from weak or stolen passwords."
We know that passwords are "bad". The Information Security industry has been advising us for many years that passwords need to be retired as a form of authentication yet there has been stubborn resistance across a number of vertical markets to make the leap and do just that.
The inherent vulnerabilities of UserID/Password combinations as a single form of authentication are well known and their use is a delight for attackers using brute force, phishing, keylogging, and man-in-the-middle techniques.
Even if they can't be retired, the single most effective way to secure your applications is to add Multi-Factor Authentication to the user login journey. While MFA in no way guarantees protection of service, it can certainly elevate your application from "definitely vulnerable" to "probably safe for most users".
Strong authentication normally asks two things of users:
- Give us something you know (like a password); and
- Give us proof that you have something in your possession (like a pre-registered mobile phone) or something you are (like a fingerprint)
There are many authentication mechanisms that satisfy the second of these demands including:
- SMS One-Time Passcode
- Voice One-Time Passcode
- Authenticator App (i.e., Google Authenticator, Microsoft Authenticator, Duo Authenticator, etc.)
- Hardware based One-Time Passcode
- FIDO2
Anyone who has filed a UK tax return in recent years will have had to navigate their way through the HMRC login process which will probably have generated a One-Time Passcode via SMS. Hopefully, most Google Mail users will also have Google Authenticator configured (if only to stop Google constantly reminding them to do so in order to secure their account). In short, most people should now be familiar with authentication services that no longer rely on mere User ID and Password combinations.
Do people find these authentication mechanisms annoying? Or do they find them reassuring?
Providers of authentication services have been at pains to reduce the annoyance factor and a one-touch login approval on your mobile phone is becoming commonplace and much less annoying that having to transcribe a six-digit code from your mobile phone to a web page.
In short, securing applications with stronger authentication is no longer bothersome, either to the IT department implementing it, or the end user community consuming it, right?
If only it were that simple.
Proving that you have something requires registration of that device; requires that the end user actually has the device to hand; and requires the device to be capable of being operated in the environment that the end user finds themselves in.
Common Problems
End user employees may (quite rightly) be resistant to installing a work-related authenticator app on their personal mobile phone. Indeed, it is impossible for some organisations to ask this of their employees depending on the jurisdiction they operate in. Similarly, organisations may be resistant to issuing all employees with a work-specific mobile phone just for that purpose. (Who wants to be carrying two mobile phones these days anyway?)
Even if end users are enthusiastic about installing work-related apps on their personal mobile phone, doing so may be futile for environments which do not allow such devices to be available. There are many workplaces that specifically restrict bringing personal mobile phones on-premises for security reasons - normally national security reasons, of course, but not exclusively so.
A FIDO2 device (such as Yubico's Yubikey) might help, but what happens if a user forgets to bring their device to work? Or drops it into some irretrievable location (such as a toilet?). Can we use the FIDO2 compliance capability offered by the Operating Systems of the machines we use in our daily life? Maybe, but what happens if we operate in a kiosk-style environment and we don't actually have a device tied to us?
Solutions
Personal mobile phone based authentication mechanisms work fantastically well for consumer environments. In the workplace, however, it is a lot trickier to enforce.
The cost of FIDO2 devices has plummeted in recent years and the FIDO2 compliance of physical machines themselves should help organisations accelerate their MFA rollout. For those high-risk environments (such as military & security services sites), check-out/check-in processes probably already exist when entering/leaving those premises and these could be updated to also cover authentication devices or proximity tokens.
And of course, biometric authentication using fingerprint, voice or facial recognition or even retina scanning is possible.
To further reduce friction though, adaptive controls can be applied to validate contextual information such as location, IP address, time-of-day, device type, device status (endpoint managed/jailbroken/etc.) and other business rules specific to the user or user type.
The IBM Security Verify SaaS offering provides a diverse range of Multi-Factor Authentication capabilities out-of-the-box. It's adaptive authentication engine can also elevate the authentication requirements for end users when appropriate (and conversely, ensure a friction-free experience for those users who meet certain criteria).
Remember, the most effective means of reducing the likelihood of a security breach is via the introduction of a Multi-Factor Authentication capability coupled with adaptive authentication journeys. With IBM Security Verify, even the most esoteric of login journeys can be satisfied.
Contact us to arrange a demonstration of how modern authentication can be applied to your environment.