Enterprise adoption of multi-factor authentication has been slow, with many organizations disregarding its value. But has Amazon triggered a change in momentum?
Despite best intentions, few in the industry would argue that relying on a password for security purposes works.
If a password is too simplistic, it is more likely to be guessed (either by man or machine). If it is too complex, the chances are it has to be written down in order to be remembered, leaving it susceptible to prying eyes.
Passwords are shared with insufficient consideration of the longer-term implications, and ex-employees can often still access networks after they have left an organization.
One of the biggest crimes however is the replication of login credentials across multiple devices and applications. This leaves companies and individuals particularly vulnerable to attack — if the same password is used for multiple resources, attackers can crack a single password and have access to everything.
As the number of mobile devices and wearables in the workplace grows, and the adoption of enterprise cloud and mobile applications continues to increase, the reliance on passwords and the associated risks, increases accordingly.
Multi-factor authentication (MFA) has long been talked about in the security industry, with many disregarding its value. But as IT teams tackle the rising tide of hacks and breaches — which are putting reputations, careers and customer loyalty on the line — organizations, including the likes of Amazon, are quietly embracing MFA as a means to secure their networks.
Why the slow burn?
MFA has tended to be reserved either for only the most sensitive or vulnerable accounts, or implemented in standalone silos for specific apps or services due to lack of platform coverage.
For example, MFA might be used to access SaaS applications but not for accessing VPNs, on-premise apps or logging onto a mission-critical server. Furthermore, MFA has historically been either “on” or “off,” which resulted in constant prompting for MFA at every login. Couple that with the cumbersome nature of physical tokens, and you had a recipe for annoyance and revolt for average users who were simply trying to get work done.
As such, the results of using MFA have been a mixed bag so far. Unless there is the same level of security consistency across the organization, some parts of the network will remain more vulnerable than others. Despite the constraints, MFA holds great potential. According to research firm MarketsandMarkets, the global MFA market is predicted to be worth 9.6 billion dollars by 2020.
MFA can take different guises. It involves combining additional ‘factors’ — such as something an individual has (like an ATM card or smart card) or something a user is (such as a biometric characteristic like a fingerprint or retina scan) — alongside something the user knows, like a password.
An account or device cannot be accessed by one factor without the other.
At the most simplistic level, consumers have been using MFA to access their bank accounts using an ATM machine for years. They gain access via the card (something they have) and the PIN to their account (something they know). The financial services sector continues to lead the way in MFA applications with the recent announcement that MasterCard customers will be able to replace passwords with “selfies” and fingerprints when shopping online.
MFA in the enterprise
Now, the time has finally come for MFA to step up to the mark and bring the same levels of security to the workplace.
The increased use of mobile devices is helping the adoption of MFA as most people keep their phones close to hand. For example, additional forms of authentication — such as responding to a push notification or SMS to a phone, having to enter a secure One-Time Password (OTP), clicking on a link from an email, touching a fingerprint sensor on a smartphone, or responding to a voicemail — can verify a person’s identity.
However, as with all security solutions, they are only as good as the people using them.
A recent Centrify survey found that 69% of wearable device owners say they forego login credentials, such as PINs, passwords, fingerprint scanners and voice recognition, to access their devices.
Presumably this is because they don’t want the perceived additional hassle of having to go through additional steps in order to access the device.
This is concerning given that 56% of wearable owners use their devices to access business apps such as Box, Slack, Trello, Dropbox, Salesforce, Google Docs, Microsoft Office or a combination.
Put simply, users don’t want additional hoops to jump through when they are trying to get on with their job. Yet, as attackers get more aggressive and sophisticated, organizations need to get serious about layering on additional factors of authentication across the enterprise, whether it’s for employees, contractors, outsourced IT, partners or customers.
There is a fine line between having an additional layer of security in place and user tolerance. If the system is distracting or frustrating then people may be put off using the technology in the first place, leaving a potential security weak-point in the network.
MFA has now sufficiently evolved to provide the additional layer of security needed with minimum impact on the users.
For example, parameters can be defined so that MFA only activates if there is a usual pattern of behaviour, such as accessing the network at an unusual time or a device being used from a different physical location to normal.
Of course, unscrupulous operators will continue to attempt to counter any new security measure, but MFA is finally giving organizations the additional layer of security that will make a breach harder to achieve.
Learn more about multi-factor authentication here.