Multifactor authentication (MFA) is the clear choice for safeguarding organizations against hackers who are looking to cause chaos. By some estimates, a well-implemented MFA strategy can prevent 90% of cyberattacks, making it an obvious move for IT professionals. In spite of the benefits, only 43% of organizations have already implemented MFA. To determine the MFA method that is the best fit, organizations need to analyze the needs of their employees, customers, and suppliers. This means taking into consideration how and when people can access networks, systems, and data, and how critical those are to secure.
Pain Points from Traditional Approaches
Security protocols are only effective when people use them. One of the main faults of passwords is that people experience password fatigue, causing them to use the same password over and over so they’re easier to remember. Even if they do use unique passwords, and their company has implemented phishing training, hackers are becoming more sophisticated in their methods, giving employees the impression that they will be hacked whether or not they follow best practices.
A good second layer for authentication needs to be both convenient and instill confidence in users to guarantee it is adopted and used effectively by all parties.
Perhaps it is for these reasons that hardware tokens have seen slow adoption rates, with only 4% of the financial sector and 19% of government agencies with MFA choosing to use them as a second authentication factor. Hardware tokens are physical devices, like a USB stick, that need to be present to access a system. While they offer greater security than passwords and some phone-based methods, their convenience is questionable. Since people can lose or misplace them, it places the burden on users to hold onto them. They also have an obvious security fault—they can be handed off from one person to another with ease, which doesn’t build confidence in the security of the system as a whole.
While convenience may be king for users, organizations need to look at the most secure methods for authenticating people and dictating who can and cannot gain access to critical information. As MFA proliferates, so too do the methods hackers are using to try to get around the most common security measures. Most of us are familiar with one-time passwords (OTPs) where a passcode/PIN is sent to your registered device, like a smartphone. However, bots and other types of hacks have proven extremely successful against OTPs. As early as 2016 NIST began warning against the use of OTPs. Despite these warnings, OTPs are still a prevalent second layer authentication method for companies and users alike.
Your Strategy Must Include “Something You Are”
As previously discussed, hardware tokens can be lost, passwords phished, and OTPs intercepted. Organizations need to move away from things that we have and things that we know in order to achieve the level of security they hope to achieve by implementing MFA in the first place. Centralized biometrics, like Identity-Bound Biometrics (IBB), address this issue at the source. By enrolling their biometric centrally with the organization, users can gain access without being tied to an individual device or token, and the organization can verify the authorized person on the other side of the screen. For example, when a person’s fingerprint is scanned, that data is matched to a template on file with the organization, guaranteeing the person is exactly who they say they are.