Ultimate Guide to Multi-factor Authentication
2 - Deconstructing MFA: Evolution, Authentication Factors and More
Not unlike the telephone’s evolution from rotary to wireless to cellular, multi-factor authentication has continually evolved to meet changing requirements. That means today’s MFA isn’t your father’s MFA—and that’s a very good thing.
The earliest form of MFA was two-factor authentication, or 2FA. As the name suggests, 2FA required that a user provide a second factor beyond a password to prove their identity. The idea was that while a password may be easily guessed or stolen, requiring a second factor could significantly mitigate the dangers of credential reuse. And it did, proving effective at thwarting opportunistic attempts by attackers who test known username and password combinations just to see what might work.
But bad actors have gotten more sophisticated over time. And their attempts to steal credentials and compromise accounts have grown increasingly creative. Fortunately, multi-factor authentication has also advanced to address these evolving threats. But that also means that simply requiring an additional factor is no longer a sufficient defense. And just any factor won’t do either. There are newer and better ways to ensure identity now, providing not just a more secure experience, but a more user-friendly one, too.
The oft-used username and password combination falls into the something-you-know category. In an attempt to increase security, some organizations might require a second something-you-know factor, such as an answer to a security question. But this isn’t MFA. If fact, if a hacker were able to guess or steal your password, they could probably guess or steal the answer to your security question, too.
Instead, MFA requires that you provide factors from different categories. The idea is that a hacker may be able to guess or steal something you know, but they’ll be far less likely to be able to also supply something you have, like a key card, or something you are, like a fingerprint.
For example, your face (through the use of facial recognition on your phone) could be an additional something-you-are factor in a basic MFA flow that starts with a username and password (a something-you-know factor). It could also be something you have, like a smart card. But the use of biometrics is understandably more popular than physical tokens as it provides a convenient way to prove identity and eliminates costly and/or burdensome hardware. Both of these benefits translate to a better user experience, as well as stronger security. And because biometrics, unlike a code or physical token, aren’t easily intercepted or stolen, you gain a greater level of assurance that a user truly is who they claim to be.
Adaptive Multi-factor Authentication
MFA as described thus far provides a greater level of assurance of user identity than simple username/password authentication. But it has its limitations, too. In its most basic form, MFA relies on a one-size-fits-all approach, requiring an additional factor regardless of situation. This can be cumbersome for users who are authenticating under typical, low-risk circumstances.
While there’s no debate that MFA provides greater security than passwords alone, you can further strengthen security AND provide a more streamlined user experience with adaptive MFA. Adaptive MFA uses contextual factors and logic-based mechanisms—such as geolocation, time of day, IP address and device identifiers—to determine whether or not a user should be required to use an additional factor to authenticate.
Applying a risk-based approach to authentication requirements, adaptive authentication dynamically assesses the risk of a given operation based on:
The user’s current authentication status.
The risk associated with the resource in question.
The context of the request.
This risk-based approach allows you to establish policies that require an additional factor only when necessary, as determined by risk and not by default.
For example, say an American banking customer uses a password to sign on to a banking site and then tries to transfer money. If that customer signs on from the United States, the MFA system might not require further action. But if they sign on from Uzbekistan, the system could require a second authentication factor to gain a greater level of assurance that the user is who they claim to be.
Simply put, adaptive MFA provides greater control and flexibility, allowing you to strike a just-right balance between security and experience. With adaptive MFA, you can:
Customize authentication requirements based on risk.
Step security measures up or down using adaptive, contextual policies.
Improve productivity by minimizing authentication requirements in low-risk situations, like on trusted networks.
Increase security by stepping up authentication requirements in high-risk situations, like unfamiliar geolocations or high-dollar financial transactions.
Streamline user experience by eliminating extra steps and hardware.
Watch the video to learn more.
More than Just Adaptive Policies
Beyond adaptive policies, modern MFA provides more integrations and configurations, as well as providing more flexibility and control. With a modern MFA solution, you can:
Protect more channels, like single sign-on, VPN, remote desktop, SSH and more.
Provide support for more use cases, including password resets, self-enrollment, device authorization and management, transaction approvals and passwordless authentication.
Provide support for more authentication methods.
Lower costs by removing the need for traditional hardware tokens, SMS codes and voice calls.
Reduce helpdesk support requirements by taking advantage of broad self-service capabilities.
See our Top 5 MFA Considerations Checklist for guidance on what to look for in an MFA solution.
Passwordless: The Future of Authentication
Passwordless authentication may seem like a radical concept, but it actually borrows from and builds upon the same principles as MFA. The basic premise remains that passwords alone aren’t enough. And passwordless promises a way to bypass passwords altogether.
The elimination of usernames and passwords is also the basis of Zero Trust. In a Zero Trust environment, users are recognized and authenticated based solely on the devices used to access applications and the context in which they’re attempting to access them. Sounds cool, right? But removing passwords entirely may also sound out of reach for your organization.
While going completely passwordless may not be realistic for you now, you can begin building the foundation for Zero Trust sooner than later. Reducing the use of passwords is the first step for many organizations.
You can start by leveraging adaptive MFA policies to step down authentication in low-risk scenarios. For example, you could combine a username only (no password) with a lower friction method of authentication—such as a device-based biometric (like a fingerprint) or a swipe—when a user is accessing non-sensitive resources in a typical manner (on a recognizable device and from a trusted network).
This removes friction from the end user experience, and is a good first step. But if you still require passwords in some situations, those passwords are still vulnerable to reuse, theft and subsequent use by a bad actor.
More advanced organizations are adopting standards such as FIDO2 which remove passwords altogether. Instead of passwords, FIDO2 leverages public key cryptography methods that require users to register a device and a domain (e.g., a corporate email) from which future access requests will originate.
While you may not feel ready for this, you may be more ready to start your journey to passwordless authentication than you realize.