Multi factor authentication (MFA) is no longer a user-name, password accompanied by a hard-token and today we are seeing an array of options including soft-tokens and facial recognition to highly advanced behavioural analytics and artificial intelligence driven solutions.
We asked some of the industry’s foremost experts a somewhat leading question ‘Can MFA work long term if customers prefer convenience over security?’ Of course, no one wants to exposes themselves to risk, but at the same time most of us don’t want to be impeded when doing the things we need to by passing through factor after factor. Here is what the experts had to say to the ID Bulletin:
Frederik Mennes, Senior Manager Market & Security Strategy, OneSpan
“Consumers are increasingly demanding convenient and seamless authentication experiences, but this cannot come at the cost of security. Thankfully, next-generation authentication, intelligent adaptive authentication, is gaining momentum to overcome this challenge. The aims of this technology are two-fold: to ensure the precise level of security is applied for each level of interaction, which ensures the best possible experience for the user.”
“Adaptive authentication utilises AI and machine learning to score vast amounts of data, such as user behaviour, the integrity of devices, mobile apps and transactions. Based on these patterns, it analyses the risk of a situation and adapts the security and required authentication accordingly. This means that consumers won’t have be faced with multiple authentication challenges for low-risk activities that match with their usual behaviour (such as checking their online banking balance from a recognised device).”
“For higher-risk activity that falls outside of normal behaviour and is potentially suspect, authentication is stepped-up. This can combine a range of tools, from MFA to behavioural analysis and biometrics. And increasingly, authentication is taking place entirely in the background to improve the user experience, such as the analysis of device characteristics, or even position in which a user holds their device.”
Steven Rees-Pullman, General Manager EMEA, Auth0
“The world has to ease itself into continuous authentication. Customers have to accept that continuous authentication is secure, and MFA is a step to get there. Some of our customers have done their own research, and found their users actually like to enter a password, because it makes them feel more secure. They have an element to control, and know someone is taking care of their data. Continuous authentication can work, but only as we get people feeling comfortable with it. Then businesses won’t have to choose between convenience and security, because continuous authentication provides both.”
Dr Guy Bunker, SVP of Products, Clearswift
“There doesn’t have to be a compromise between the two. In fact, there has recently been experiments with Near Field Communication (NFC) devices embedded under the skin. While this sounds either futuristic or slightly revolting, it is something we do today with pets, in order to find the owners should the pet become lost, without a second thought. Tying in a second level of authentication to this is possible – the key being that you only want one NFC device embedded, not 101. Sharing of authentication mechanisms needs to improve so as to become ubiquitous and this will enable the convenience as well as maintain security.”
Adrian Jones, CEO of Swivel Secure
“There is no point in securing the rooms in a house if the front door is left open. The point of system access is the identity and the authentication confirmation process, designed to prove you are actually you needs to be the cornerstone of an organisations layered approach to security. Poor product choice, user education and effective proactive systems management, all contribute to a simple yet effective process (see Risk-based authentication).”
“The product chosen must ensure the method reflects the need, as a simplistic ‘one size fits all’ approach to authentication doesn’t work. This is because as the market matures and expands, it changes from simple corporate VPN access to a completely authenticated supply chain ecosystem. As a man of older years, slowly waning into the status of a committed luddite, I detest complex solutions that hinder my progress. I believe you should seek agnostic suppliers who can deliver on any factor / method, on any platform, cloud or on-premise, in any location, with the right combination of factors and the ability for integrate with all your software.”
“You can implement an authentication solution for all your employees, suppliers and customers without breaking the bank. Choose wisely, look for configurability as a key feature, as personalisation lies at the heart of simplicity and I like a simple life.”
Evtim Batchev, CTO of Halian
“When it comes to MFA, companies have to be flexible when combining the different levels of authentication to preserve the user experience. Take mobile phones, for example, where ease of access is a priority both socially and professionally in our day to day lives. An issue with data connectivity or service, or a broken fingerprint scanner, can cause havoc.”
“MFA must also be able to integrate with different technologies, operating systems and browsers. Without proper integration, users may not get consistent access. Worse, no access at all! But businesses are seeing data at a higher risk than ever before. It’s unavoidable that some services require more severe forms of authentication or additional layers. And overall, MFA is now considered to be standard practice in security and authentication. Despite occasional user grumbles, the use of MFA greatly decreases interception by an outsider. It’s up to businesses to successfully carry out a balancing act between the two.”
Tom Venables, senior manager at risk management consultancy, Turnkey Consulting
“Combining MFA with other solutions to ensure a smoother end-user experience can pay real dividends by ensuring that increased security is not seen as a burden by those affected. Options such as single sign-on can minimise the repetition of logons to information systems, while password-self-service ensures that forgotten passwords do not require a call to IT helpdesks, thereby reducing end-user frustration and saving IT support time.”
“Finally, consideration should be given to the MFA options made available to users for the working conditions they’re most likely to encounter – providing hardware tokens can be costly and time consuming (and frustrating should they get lost). Enabling text messaging to a known telephone is one alternative, although SMS authentication will not work for users who have limited access to mobile networks, in which case an authenticator app may be needed. Providing people with options as to how they prefer to authenticate will give them input in the implementation of MFA and should help drive adoption. Regular reviews with users ensure the choices selected work for them.”
Oz Alashe MBE, CEO of the intelligent cyber security training and awareness platform, CybSafe
“People often tend to push back against security because of the perceived trade-off in productivity. A business can spend time training its staff to not go onto public Wi-Fi while accessing sensitive company information, but if people believe that this is pointless, and moreover, that doing so requires too much effort, they’ll simply ignore the order. If people feel too constrained by security, they’ll often look for easy ‘backdoors’: writing down passwords, and sharing sensitive business information through private emails, and so on. There’s this same risk with multi-factor authentication – that when there are too many fiddly layers of security, people will resort to unsafe tactics that allow them to access what they want quickly.”
“Organisations need to have multi-factor tools in place that provide security, but don’t compromise excessively on productivity. To that end, companies should really consider whether things like physical tokens are worthwhile – yes, they provide an additional security layer, but at what cost. Physical tokens often aren’t convenient, and in many cases, they aren’t compatible with mobile devices.”
“In the ideal world, correct cyber security behaviour should be seamless; doing the right thing should be the easiest thing. The way companies approach MFA in the future needs to reflect this thinking.”
The ID Bulletin 