April 20, 2020

What Is MFA Done Right?

How do you know you are doing something correctly once you decide to do it? Do you just close your eyes and go with the biggest or most well-known vendor? Do you consult with your peers on what they use or ask for recommendations? Do you look at analyst or consultant research on the subject? Do you rely on a trusty Google search to bring you all the information necessary to pick a winner? Any and all of these methods will work for pretty much everything you want to implement, but in the world of IT security, the subject of multi-factor authentication brings up a tremendous amount of confusion.

Multi-Factor Authentication Today

It turns out that most companies still haven’t implemented an MFA solution yet. Many don’t even know what MFA stands for. According to NIST:

“MFA, sometimes referred to as two-factor authentication or 2FA, is a security enhancement that allows you to present two pieces of evidence – your credentials – when logging in to an account. Your credentials fall into any of these three categories: something you know (like a password or PIN), something you have (like a smart card), or something you are (like your fingerprint). Your credentials must come from two different categories to enhance security – so entering two different passwords would not be considered multi-factor.”

Multi-Factor Authentication is coming into its own as more organizations recognize the complete vulnerability of password-based authentication. More press is coming to light, first on the impact of stolen credentials and the vulnerability of passwords and second on the value of multi-factor authentication. It is important enough that even the NSA is suggesting that you should transition to MFA immediately. The NSA published a Cyber Information Brief  that covers their Top Ten Cybersecurity Mitigation Strategies, one of which proposes that everyone should Transition to Multi-Factor Authentication, specifically:

“Prioritize protection for accounts with elevated privileges, remote access, and/or used on high value assets. Physical token-based authentication systems should be used to supplement knowledge-based factors such as passwords and PINs. Organizations should migrate away from single factor authentication, such as password-based systems, which are subject to poor user choices and susceptible to credential theft, forgery, and reuse across multiple systems.”

Unfortunately, these solutions impose significant friction through a variety of temporal (e.g., OTP, captchas, reset links) and binary (e.g., fingerprint) controls that have all still proven ineffective safeguards against credential stuffing and identity spoofing. So, now that you are ready for MFA, what is the best way to ensure you are doing it correctly?

Multi-Factor Authentication Done Right

Eliminating the complexity and overhead (read drag or lost productivity) while improving security and the user experience is the prime directive for a new set of selection criteria. In order to be truly secure as well as competitive you should extend your MFA evaluation criteria to include the abilities to: 

  • Enable Frictionless Productivity: facilitate an incredible frictionless user experience with minimal need for typing pins, accepting push messages, scanning QR codes and other types of intelligent MFA pre-and post-authentication whether for web, mobile, cloud or IoT.
  • Orchestrate Dynamic Authentication: monitor user context based on simple yet effective configurable policies that drive dynamic risk-based scoring of authentication requirements, which, in turn, adapt to user behavior, attributes and the ecosystem of associated devices and resources cognitively and continuously.
  • Dramatically Reduce Cost of Operations: eliminate the need for passwords thereby eliminating the need for password resets, which are costly, time-consuming and an unproductive activity for IT, the enterprise and the end consumer. Avoid productivity loss and significantly reduce helpdesk operational costs. Bottomline is that you should never have any passwords required, ever.
  • Prevent Credential Stuffing Instantly: prevents stolen credential stuffing the instant an attempt is made using compromised/stolen usernames and passwords by virtue of its evasion-proof design. Drastically reduce the threat surface for ATO breach using cognitive MFA.
  • Correlate Audit Logs and Threat Intelligence In Realtime: provide detailed telemetry on contextual user behavior and tamperproof audit logs for every authentication attempt, pre- and post-login, in real-time. Detect, analyze and respond to incidents and threat actors instantaneously without the latency or guesswork to substantially reduce the risk of fraud at first attempt.
  • Customize, Integrate And Scale Efficiently: provide out-of-the-box intelligent MFA for Citrix NetScaler/Workspaces, Cisco VPN, HID and Microsoft Hello, in addition to flexible SDKs for web, mobile, FIDO 2.0, DBFP and REST APIs for scale, extensibility, and visibility into the IT ecosystem today.

The Rise Of Passwordless Continuous Authentication

A frictionless MFA solution is the ideal answer. One that actually eliminates the need for passwords in the process of adding even more security to prevent identity fraud at and post authorization is the best approach.

Acceptto’s eGuardian engine continuously creates, and monitors user behavior profiles based on the user interaction with the It’sMe authenticator. Every time an activity occurs, actionable intelligence is gathered and used to optimize the user profile. eGuardian is capable of autonomously and continually learning new policies and adapting existing ones. While policies can still be manually defined and contribute to the computation, our Biobehavioral AIML approach automatically finds the optimal policy for each transaction. eGuardian leverages a mixture of AI & ML, expert systems and SMEs to classify, detect, and model behavior, and assign real-time risk scores to continuously validate your identity prior to, during and post-authentication.

Download the Intellyx’s whitepaper titled  App Authentication Evolves in a World of Compromised Credentials today and then check out what Acceptto can do to ensure your employees, partners and customers can authenticate without passwords and still ensure security and privacy registering for a free demo today.

Download Intellyx Whitepaper

MFA identity Access Management continuous authentication