Top 10 Legacy IAM Challenges, Part 3: Legacy Multi-factor Authentication

Top 10 Legacy IAM Challenges, Part 3: Legacy Multi-factor Authentication

February 27, 2018
Andrew Goodman
Sr. Product Marketing Manager

Strong authentication solutions have been around for many years, but legacy multi-factor authentication (MFA) vendors have decreased investment in these solutions, leaving troublesome capability gaps. As you extend access beyond the firewall to increasing numbers of employees, partners and customers, it will be difficult to offer the security, flexibility and efficiency that your enterprise requires.

These legacy systems can be complex to manage and hurt end-user productivity. Beyond the cost of licensing, these systems are anything but free. Ownership costs add up quickly for highly available on-premises infrastructure and tens of thousands of hardware tokens. Significant labor costs are needed to maintain, patch and upgrade business-critical servers, ensure end-user device compatibility, and handle onerous help desk call volumes.

Today I continue our 4-part series on the top 10 legacy IAM challenges by diving into three problems surrounding legacy MFA solutions.

Click here to see the full infographic


Problem #1: Authentication without context

Legacy two-factor authentication (2FA) systems centered on what you know (credentials) and what you have (hard or soft tokens) are a step above credentials alone, but they offer little insight into the users and devices being authenticated. Legacy solutions lack the capabilities to enforce policies based on risk, including the inability to leverage contextual, behavioral or correlative factors like geolocation, device posture and nature of the transaction being attempted. This lack of capabilities makes establishing a level of assurance a difficult task that oftentimes leads organizations to implement binary, yes or no access decision frameworks. In reality, this “compromise” forces you to choose between user experience and security.


Identity federation solutions are often the delivery method of choice for contextual data, providing continuous authentication with real-time updates of user and device context. The lack of out-of-the-box and supported methods for integrated legacy MFA solutions with identity federation solutions represents a significant obstacle to a better security posture. Given all these limitations, even users in highly trusted, low-risk scenarios must authenticate using the most restrictive methods. And that leads us to the second legacy multi-factor authentication challenge:

Problem #2: Reduced productivity

Forgotten PINs, tokens and passcodes place heavy burdens on your IT team. Estimates of the exact cost vary, but a Gartner Group survey shows that between 20% to 50% of all help desk calls are for password resets while Forrester Research calculates the average help desk labor cost for a single password reset is about $70.


There’s also the negative effect on the user experience to consider. Users are irritated when forced to switch between applications on different devices to enter a one-time passcode, and lockouts are common when users are allowed only one authentication device. These complex end-user processes frustrate users and decrease productivity.


The use of modern multi-factor authentication methods such as out of band push notifications creates a less costly and more friendly experience for all parties involved. With a solution like PingID, end users can securely authenticate using a range of second factors such as mobile swipe or biometric based push notifications, a desktop application, Yubikeys, Apple Watches and more.

Problem #3: Restricted integration points

Legacy MFA systems with limited authentication flexibility can impede your enterprise’s digital transformation by limiting the use cases where multi-factor authentication can be applied. A few examples where authentication flexibility is required include:


  • In areas where cellular coverage is spotty, SMS may not be available
  • In buildings where employees wear gloves, fingerprint authentication is cumbersome
  • In facilities where phones are prohibited, software tokens are ineffectual


These restrictions apply to much more than situational use cases. Most legacy solutions have difficulty extending beyond VPN or remote access, and cannot be used for today’s web and mobile apps, APIs, Linux or Unix servers, Windows login, offline multi-factor authentication or other use cases.


Your enterprise needs a solution that offers more flexibility. Security and user experience is a balance, not a choice. And you need to optimize productivity while enhancing security with an authentication system that allows you to integrate MFA into every application and silently authenticate users under trusted circumstances, based on information such as allowed or disallowed devices, minimum O/S, device lock status or more.

Flexible and Adaptive Authentication

Your legacy authentication solution was a game changer in its time, but that time has passed. A modern solution has the flexibility to meet corporate and user needs, improves productivity and security, and offers savings in infrastructure, support and labor. To learn more, get your complimentary copy of “The IAM Pro’s Guide to Building A Business Case For Upgrading On-prem 2FA to Cloud-delivered, Adaptive MFA”.

Up next will be the final blog post in this series, on the excessive administrative and hardware costs of your legacy IAM solution.


Watch this webinar replay to learn the requirements for rapid adoption and implementation of MFA everywhere.