Traditional ways of gaining access to an account or information, think usernames and passwords, remain common, but their shortcomings pose liabilities.
How do you confirm that people requesting access to your system and files are who they say they are? One way is to ask them to confirm their identity multiple times before granting access – otherwise known as Multi-Factor Authentication (MFA). Chastised in the past for awkward or clunky user experiences, new streamlined ways of authenticating people are quickly proving their value.
As the saying goes: A chain is only as strong as its weakest link. The same mantra may be applied to a cybersecurity program, where a single weak lock can pose a critical vulnerability to an entire company’s network. In the case of authentication, internal employee slipups can render even the strongest digital locks obsolete. Passwords were responsible for 81 per cent of breaches in 2017.
From weak or easy-to-guess passwords, like ‘p@ssword,’ to password reuse across multiple accounts, people cannot be trusted to create keys granting access to digital assets. But if multiple digital locks are created, each requiring a unique authenticating factor to grant access, it is theoretically harder to force access. That is what makes MFA systems so effective at protecting valuable data.
MFA helps mitigate the vulnerabilities presented by weak password habits by requiring additional authenticating ‘factors’ before granting access. These factors can vary in terms of complexity but are usually something unique or known only to the individual. This ensures that if a single factor is compromised, guessed or lost, like a password or PIN, other factors, maybe a birth date, remain to accurately verify the identity of who or what is trying to gain access.
“Imagine somebody is trying to hack an account and they correctly guess a user’s password,” says Chris Peel, VP Customer Engineering at Echoworx. “With MFA, they may try to log in, but the owner of the account gets a pop-up on their mobile device notifying them that someone is attempting to login. Access can then be denied by the person – using this second factor of authentication.”
There is no ‘one way’ of conducting MFA. The term is loose and can be applied to a variety of authentication systems – from so-called ‘Strong Authentication,’ a variant of Two-Factor Authentication now a requirement for transactions over €30 in Europe, to hard-token MFA, where a physical token is required to gain access. These systems vary in the amount of security they provide – with some even deliberately hindering user experience to emphasize the importance of the access they provide.
But new digital variants help make MFA a relatively frictionless experience – with little to no impact on user experience. A bank portal, for example, might ask a banking customer for a password as one factor, or way, of authenticating their identity. But, as a second factor of authentication, the bank may also demand a Time-Based One-Time Password (TOTP) – a single-use and time-stamped random code – issued from an app installed on the customer’s mobile phone. This additional verification is completed by the customer without leaving their mobile phone. The key, you must keep it simple. Mark Risher, who manages Google’s identity systems says, “People won’t accept more security than they think they need.”
When it comes to protecting customers and the digital infrastructure of an organization, adequate authentication should not be an option – and it does not have to be. According to a report conducted by the Global Information Assurance Certification (GIAC), 87 per cent of respondents were favourable of having to authenticate themselves after being told what it was for.
The GIAC study illustrates that, while MFA might be initially viewed as security overkill by people, the same people view it favourably once they are made aware of what it is, and the protection benefits it provides them. Today most service organizations got the message: consumers want two-factor. If you do not offer it, they’ll find the service that does.
If digital trust is the new currency of customer experience, MFA is one of the locks holding everything in-place. The average user assesses the safety of an email in just 30 seconds before replying with personal information, says Echoworx in a survey they conducted. Yet, more than three quarters of people will leave a company who mishandles their data. If people cannot be trusted to safeguard access to their own data, organizations need to ensure a single digital slip-up doesn’t enable fraudulent access.
To make sure that right people enter and access the right information, MFA assures organizations that their entire network won’t be compromised by a single person – helping solidify levels of digital trust.
While not uniformly mandatory under any regulation, MFA is quickly becoming a recommended default. For example, as per the European Central Bank (ECB)’s European Payment Services Directive (PSD2), transactions conducted over €30 must feature ‘Strong Authentication,’ to comply with their ‘Strong Customer Authentication (SCA)’ practice. In the wake of this regulatory development, 84 per cent of affected organizations outline MFA as a priority investment. For independent bodies, this trend continues, with certification bodies, like the PCI Security Standards Council, which is responsible for managing PCI DSS, highly recommending MFA for any future developments.