Traditional Multi-factor Authentication Approaches are Starting to Fail Us – 3 Ways to Modernize Your Strategy

Even though companies worldwide are struggling to protect systems and data from incessant waves of cyberattacks—there seems to be no end in sightWith the release of the FBI’s Internet Crime Report 2020, it is apparent that cybercriminals took advantage of the impact of the pandemic while many of us were distracted with trying to figure out our “new normal” and the technology we require to support it. The FBI reported over 790,000 complaints and reported losses exceeding $4.1 billion – a 69% increase since 2019.  

The most common attacks were those leveraging email communications such as Business Email Compromise (BEC) and phishing attacks. Cybercriminals took advantage of citizens as we looked to our inboxes for unemployment information, stimulus payments, and other transactions requiring Personally Identifiable Information (PII). In conjunction, cybercriminals leveraged phishing schemes as well as other methods to execute ransomware attacks, which have also been on the rise.  

Multi-factor Authentication Continues to be a Cybersecurity Best Practice

While many security measures are being put in place, multi-factor authentication or MFA has been and continues to be a cybersecurity best practice when it comes to securing access, whether it’s remote or on-premises, and reducing, even preventing cyberattacks.  

Over the years MFA has also evolved as cybercriminals have continued to become more sophisticated in their approaches. We’ve moved from basic challenge questions and answers alongside a password (although that’s not “true MFA”) to now using multiple authentication methods, both with a password or as a passwordless approach. 

Some of the most common authentication methods that are used today to achieve MFA include hardware tokens, and one-time passwords (OTPs) sent via email and/or text messages to a mobile phone. Users are typically given a choice of a single method to leverage when logging in based on their security policy and the applications and data they are looking to access.  

However, what happens when our traditional MFA methods start to fail us 

 

Traditional Multi-factor Authentication Methods Are Starting to Fail Us 

In a recent article, on vice.com, a hacker was able to leverage a business text messaging service and for a mere $16 take over the victim’s phone number and intercept all of their SMS messages. These messages included those with OTPs for gaining access to secure accounts. With little effort, the hacker was able to access the victim’s Bumble, Postmates, and WhatsApp accounts, among others. There was no indication to the victim that the phone had been hacked. 

On the other side, both employees and customers can become sources of cyber risk to an organization, as they resist, avoid, and refuse to adopt MFA methods. Circumventing authentication and using poor security practices can be a top threat to an organization. For example, according to Gartner, Inc. in their 2020 Authentication Market Guide, one of the most common authentication approaches, leveraging the user’s mobile phone, is actually impractical for up to 15% of employees and 50% of customers. In other words, it is not a feasible option. This is due to their work environment, lack of cell phone reception, or even an adverse reaction to using a personal device for business purposes. 

 

Modernize Your Multi-Factor Authentication Approach 

So, it’s time to evolve your MFA approach and make sure it is capable of adapting to the future state of cyberattacks and the needs of your employees and customers 

Here are three recommendations for making sure your MFA strategy is ready for the future:  

  1. Apply advanced authentication approaches: this includes the use of contextual authentication and step-up authentication to be able to strike a better balance between security and convenience. Bringing in the context of the access request or the type of application being accessed can not only make it more difficult for cybercriminals to gain access, but also reward employees and customers when they are requesting access appropriately. For example, changing the type of authentication methods that are required based on a user’s geolocation can make it difficult for overseas cybercriminals to fake an authorized access request. At the same time, an employee who is requesting access from their usual spot, their home office location, may have fewer authentication “hoops” to jump through.  
  2. Flexible Options are Essential: and one thing is for sure, that if your MFA strategy creates friction for your employees and customers, they can become a risk to your business very quickly. One thing to make sure you have is multiple methods of authentication, but also that you are able to give the individual users options at the time they are requesting access. For example, if you have your security policy setup for them to login with a phone-based method and they forget their phone that day, what options do they have to still log in? Setting up a few different methods for each user to choose from, controlled by a security policy, is now the best practice to achieve that flexibility.  
     
  3. Include Biometrics: while biometrics are still being adopted by many organizations all indications are that they are quickly becoming a “must-have” as part of your MFA strategy. With the attacks on phone-based methods and the hassle of many methods such as hardware tokens, biometrics has become the most convenient and secure method according to recent research by Raconteur. Compared to passwords and other forms of authentication, 43% of IT professionals report that biometrics (thumbprint) is “completely secure”. With nothing to carry, nothing to remember, and the fact that they cannot be shared amongst users, including biometrics as an authentication method is critical to future-proof your MFA strategy.  

It’s Time to Change 

With the increase in cyberattacks and the evolution of how advanced cybercriminals’ tactics have become, your multi-factor authentication strategy needs to adapt. The authentication methods, such as hardware tokens and phone-based OTPs, are starting to fail us. They are being attacked by cybercriminals and/or are unusable and disliked by employees and customers. A modern MFA strategy needs to be considered that includes advanced authentication approaches, flexible options to give the user a sense of control, and the most secure and convenient authentication method – biometrics. 


Sign-up for a FREE Trial of PortalGuard IDaaS & Biometric Authentication!

With your free trial you will be able to test out:

  • Flexible Multi-factor Authentication options
  • Biometric Authentication & a FREE fingerprint scanner
  • Single Sign-on
  • Self-Service Password Reset

Sign up for a free trial

 

Tags: Authentication Security, best practices, #cybersecurity, MFA, Multi-Factor Authentication, User Authentication, #userauthentication, Biometrics, IAM, Web Authentication, multi-factor