Beyond Passwords: The Pros and Cons of Multi-Factor Authentication in a Post-Pandemic World
Cyber security strategies must account for a new reality which has emerged in the two years since IT and security professionals scrambled to secure the transition to remote working. The home is now part of the corporate network – and authenticating access to critical applications and systems by remote workers is becoming a security strategy sticking point.
Multi-Factor-Authentication would seem to be the answer, but does it create as many problems as it solves when deployed at scale? Complicated supply chains – ironically relied on for product creation by the industries most in need of robust cyber security – have the most difficulty implementing MFA to remedy the challenge of thousands of supplier users accessing sensitive digital environments from beyond the traditional security perimeter.
Once MFA and 2FA (defined below) have been weighed up, other factors such as employee willingness and contractor workforces should be accounted for to prevent unintended new security risks.
How far has MFA adoption in business progressed?
For those less well versed in the cyber security world, Multi-Factor Authentication is a security control that requires users to verify their identities by providing multiple pieces of evidence before gaining access to a device or application. Entering a username and password is single-factor authentication, the days of which could be numbered in today’s threat landscape.
MFA is not to be confused with Single Sign-On (SSO) which is employed to reduce the number of passwords and login credentials that need to be memorised and entered on accessing an application.
A number of respected industry reports and surveys report that spending on MFA increased significantly as a reaction to COVID-19. Nearly 3 out of 4 respondents to a recent survey plan to increase spending on MFA.
This shows a definite acceleration towards MFA but there is no one-size-fits-all approach; the adoption and type of MFA chosen will depend on an organisation’s specific ecosystem. A timely example of this is that I’ve had to use three different authentication apps during the course of writing this article, one to access Office365, one to access my bank account and one to access our Salesforce platform.
Authentication factors fall into three categories – given in order of frequency of deployment:
- Knowledge – Things a user must know, for example ID, PIN numbers or passwords.
- Possession – Includes anything a user must have in their possession in order to log in, for example a key fob, smartphone or ID card.
- Inherence – Includes any biological traits such as fingerprint, retinal scans or facial recognition.
The difference between 2FA and MFA is straightforward. Two-factor authentication (2FA) uses exactly two of these factors to verify a user’s identity, whilst MFA uses any number of factors that is greater than one.
Choosing which kind of MFA to use for your business? Here’s what you need to think about.
You would think that the more factors required to verify identity, the greater the resulting security. You would be right to think so, however, introducing security of this type creates new challenges. Gaining the security benefits of MFA relies on choosing the right type for your organisation.
When choosing what authentication strategy to follow organisations must also consider user experience and adoption which can diminish with an increased number of authentication factors. MFA increases complexity, administration and support costs compared to 2FA.
Slow, cumbersome or unreliable authentication solutions can even result in a breach of the security they were designed to uphold. When security controls prevent users from getting their work done, they quickly start to look for ways to get around the rules.
The MFA solutions that best meet the balance between flexibility and security robustness are often thought to be authentication apps installed on a mobile device such as Google Authenticator, Duo Mobile or Lastpass. MFA is often seen as low hanging fruit when it comes to shoring up an organisation’s cyber defences – but there are a number of obstacles and challenges that need to be navigated on the road to successful MFA implementation and adoption.
Deploying MFA for contract workforces without creating new security risks.
Industries, where contract staff represent a significant proportion of the workforce and supply chain, need to carry out specific due diligence in order to ensure that MFA will not be a barrier to frictionless working. Many contractors do not have access to a company device and therefore there is a danger that the MFA technology rolled out may be rejected by a proportion of the workforce. A well-known automotive engineering organisation in the UK recently polled its workforce and out of 300 respondents, one-third of them stated that they would not install an authentication device on their personal mobile device.
With this mindset evident amongst a significant number of contractors or those without company devices, many organisations are presented with a dilemma. Roll out and be damned – knowing that a significant number of staff may be precluded from accessing essential technology or investigate other avenues which may be more cumbersome (such as dedicated hardware devices) or less secure (such as SMS or email-based authentication).
It is also the case that SMS authentication may fall foul to the same troubles as authenticator apps in that contractors likely need to provide organisations with their personal phone numbers. For some contractors, this may be a challenge they cannot overcome. Another concern with rolling out SMS authentication is ensuring that the authentication message reaches the recipient in a timely manner. This may seem straight forward but when organisations are geographically dispersed and have even more geographically dispersed supply chains all over the globe then it’s not such a simple task.
Email authentication could overcome these challenges as it is more reliable and can be accessed on mobile and non-mobile devices but email is not as secure as other methods because it cannot protect against man-in-the-middle attacks like email account theft, spoofing or hijacking.
The obvious reason for this acceleration to increased adoption is simple – to enhance security. With migrations to the cloud, digital transformation projects and Work From Home looking like it’s here to stay, the pace of MFA adoption and spending looks set to increase in the years to come.
The increased cyber threat in a post-pandemic, post-Ukraine war combined with the move to remote working has created a perfect storm that needs to be addressed and industry owners cannot afford to be complacent. At the same time there is a need to explore and invest in the right MFA technology to best meet the flexibility vs adoption vs security conundrum.
Author: Simon Ordish, Director, Majenta Solutions Ltd.