Beyond MFA: Adding Context For Secure Access
The pandemic forced most businesses globally to transition to remote work. With many people working from home, any semblance of a corporate security perimeter evaporated, increasing demand for virtual private networks (VPNs) and multifactor authentication (MFA) to strengthen an organization’s security posture.
Legacy Multifactor Authentication Technology is Flawed
Implementing MFA is definitely the right step toward securing remote access, however most organizations ignore the fact that human error (via successful phishing attempts) continues to be a leading cause of security breaches and many of the so-called advanced multifactor authentication methods still rely on something archaic – the password. People are password fatigued, overwhelmed by having to manage on average, 100 passwords and often reusing them at their own risk. In fact, 99% of enterprise users reuse passwords across their accounts. Attackers can easily steal credentials or buy them off the dark web, successfully bypassing MFA all together. Look no further than the headline-making SolarWinds hack that leveraged stolen credentials to get around MFA.
One-time passwords (OTP) combined with MFA is an approach also growing in popularity; however, this technology can be vulnerable to man-in-the-middle attacks. For example, an attacker can phish a user into visiting a spoofed website and when the user enters login credentials, the attacker forwards those credentials to the legitimate site, which then authenticates the user and sends the hacker a one-time password. Once the OTP is entered in the fake site, the attacker leverages it to gain full access to the account. The FBI issued warnings about similar MFA attacks in 2019. Although the agency still recommends adoption of MFA solutions, it advised users that cybercriminals have the means to sidestep MFA protections. As early as 2016, NIST announced the deprecation of SMS-based methods for out-of-band authentication, as well.
Environmental and Behavioral Context for MFA
Contextual authentication is a more intelligent authentication strategy, one that is adaptive in nature – meaning the security policy not only enforces MFA but also considers the behavioral and environmental characteristics of someone’s access behavior. Basic attributes of contextual authentication can include the user’s network, IP address, device configuration and browser, geo-location and other factors, such as the number of attempted logins.
Sometimes called risk-based or adaptive authentication, contextual authentication promises to grow in scope with AI-assisted security applications that can involve extended or additional user attributes such as gait analysis, geo-velocity (in other words, for frequent travelers, the ability to factor in speed and distance), thermal sensitivity, sensors that can measure keystroke pressure and even smartphones that can identify a person based on how that person holds their device. Instead of including intrusive authentication measures, contextual authentication can bypass the need for MFA or at least reduce the need to provide a significant amount of authentication factors, reserving it only for high-risk access requests. The security policy will detect the user’s authorized device, network and location, allowing the user immediate access via single sign-on to all cloud services.
The Future of MFA is Both Contextual and Passwordless
Balancing security and convenience is like walking a tight rope. Ease of use (user friendliness) often outweighs security concerns when the decisions around implementing MFA are made. However, it doesn’t always have to be that way. As mentioned above, leveraging environmental and behavioral factors can help adjust the strength of the required authentication so that it is appropriate to the level of risk present, but that still doesn’t eliminate the pesky password.
Truly convenient and modern MFA approaches also include passwordless authentication options as part of the options presented to users. Passwordless methods can simply request a username, ask for a second authentication factor and complete the login without a password or anything the user has to remember. That second factor can be any authentication method, however, for the highest level of convenience and security, organizations in many industries are relying on biometrics to achieve it.
With biometrics as a passwordless option, users simply type in a username, scan their fingerprint, and are automatically logged in to their desktop. From there, they can be provided single sign-on access to applications without being asked for a single password. In other words, it can make password fatigue a thing of the past. With such a nirvana on the horizon, Gartner predicts that by 2022, 60% of large enterprises, and 90% of midsize enterprises will implement passwordless methods.
A Holistic Strategy for Optimized Results
The use of contextual authentication combined with passwordless methods and single sign-on creates the balance of security and convenience that many organizations have been searching for. The evolution of MFA from passwords to two-factor and now, to contextual authentication, we’re continuing to modernize and improve how we secure access, and the results are obvious: seamless access to all applications, lower IT costs, happier and empowered remote workers and centralized secure access that is difficult to breach.
This winning combination promises to completely transform identity management and how users access resources, making for a more convenient, less frustrating user experience and allowing IT teams to sleep at night knowing their enterprise rests in authorized hands.
