Article: Going Beyond 2FA with MFA

So, what is two-factor authentication (2FA)? When users request access to applications and services, 2FA acts as an extra layer of security for ensuring that they are who they say they are. The concept of two-factor authentication isn’t new. It’s been used for years in many areas. In fact, most of us use it all the time when we use an ATM or debit card. The card is “something we have” and the PIN is “something we know” and the two work together to authenticate the user more securely than the card alone.

 

Traditionally, 2FA is associated with a broader concept of multi-factor authentication (MFA) where authentication requires more than one factor. Factors are usually categorized as:

  • Something you know - most typically a password or PIN

  • Something you have - a credit card, a mobile phone or a hard token

  • Something you are - biometrics like a fingerprint, retina, or facial pattern

MFA best practices require at least two factors, each from different categories, such as a password and fingerprint, or a password and a one-time passcode (OTP) issued from a hard token.

 

Why MFA should be every enterprise’s goal

The evidence is overwhelming that passwords, specifically stolen or weak passwords are the leading cause of security breaches today. Unfortunately, despite this knowledge, enterprises still rely too heavily on passwords as the primary authentication mechanism. So why don’t more enterprises implement 2FA and take back the upper hand in security?

 

Two-factor authentication is traditionally associated with hardware tokens that were expensive and complex to administer and implement, and they’re a significant impediment to the user experience. Newer, more basic forms of 2FA, like OTP sent via SMS, are better in some ways, but they still prove to be susceptible to attack. In fact, NIST (the National Institute of Standards and Technology) recently updated their standards to disallow 2FA relying on SMS.

 

By definition, MFA doesn’t limit the number of factors. It emphasizes the use of a broader set of factors across multiple categories. A modern MFA solution benefits the enterprise with:

  • Reduced costs - Using apps on mobile devices in combination with MFA cloud services eases costs and burden for admins.

  • Improved security - Using existing biometric technologies such as TouchID improves security and even user experience.

  • Simplified administration - Most newer solutions allow users to self-register and administer their own devices.

  • Improved user experience - Using contextual data gathered from a mobile device or the network has no impact on the user. A simple swipe or TouchID ceremony are frictionless.

Best Practices for MFA in the Digital Enterprise

When determining the best MFA solution for your enterprise, there are several things you should consider. Here’s a shortlist of the most important variables:

  • Strength of security - Does it allow use of proven methods that’ll meet your security needs?

  • IT cost and overhead - How easy is it to implement and maintain?

  • User experience - Will it be easy for users to adopt and use?

  • Industry compliance - Does it meet compliance standards you need to adhere to?

  • Standards - Does it support identity standards such as FIDO?

  • Flexibility - Will it support dynamic, step-up authentication?

 

With these variables in mind, it’s clear that MFA shouldn’t be a static, one-size-fits-all solution that’s applied for every user and every application in a uniform manner. Just take a look at our white paper, and you’ll see how a deeper, more contextual MFA approach is the key to securing the digital enterprise.

 

The best MFA solutions will allow you to implement a risk-based, step-up authentication process that dynamically assesses risk associated with the user making the request, the device being used, the network, the location of the user, the resource or application being requested and many other factors. Based on the associated risk, an appropriate request for authentication factors is made, with the goal of making the least impact on the user while still meeting the minimum security threshold.

The world's leading companies are protected by Ping Identity