Multi-factor authentication has become a must-have for any cybersecurity strategy, yet getting customers, employees, and suppliers to use it has been a challenge. There is always that group of users or even CEO who does not want to use the authentication method IT administrators provide. But successful MFA relies on successful adoption.
IT directors and managers are now “change managers”, needing to investigate and deploy the authentication methods that work best for their users, while avoiding the use of passwords. While there is a wide variety of authentication methods that are commonly used, to meet all your users’ requirements, it is important to understand the options that exist. Here, we take an honest look at all the methods based on their convenience and security.
Let’s Talk: Authentication Methods
Passwords and Password-based Authentication
Even in 2021, passwords continue to be the most common form of authentication. 85% of organizations use them for employee access and 78% of organizations use them for customers. While they served their purpose of protecting our critical data for the past few decades, they have since become more and more vulnerable to cyberattacks and are now seen as the weakest method of authentication. Passwords are formed as a string of letters, numbers, and special characters. While users over the years have a hard time remembering them, making the variations they use easy for hackers to guess.
Overall, passwords just cause too much friction for the end-user and many users tend to write them down, share them, and reuse the same one for multiple applications. With a lot of passwords to remember, many people choose convenience over security, creating simple passwords that are easier to remember instead of secure ones. These passwords are still prone to phishing attacks, so this bad password hygiene is no longer effective even for basic security measures.
According to tech.co, the average person is juggling 100 passwords across various applications and services. The bad news is the best practice for using passwords is to have a different password for each account, meaning with 100 separate accounts, a user would need to remember 100 different passwords. Because 100 passwords are too many to remember, it is inevitable for users to forget one and deal with the cumbersome process of resetting it. However, only 49% of users have different passwords across their accounts, leaving behind more than half of users reusing their passwords. The bottom line is that passwords have a lot of vulnerabilities and are no longer enough to protect your data.
On the surface, PINs are very similar to passwords. Unlike passwords, PINs are generally a smaller set of numbers, often four numbers in total. Their length can arguably make PINs seem weaker than passwords, but PINs are more device-based, securing a device as opposed to an account. For example, some accounts may require devices that are secured with PINs, so if a threat actor had access to an account that required a specific device to use it, then the threat actor would also need the specific device and the PIN associated with it.
Regardless, PINs still offer a low level of security for similar reasons as passwords, and while it is a cheaper authentication method compared to others, PINs best suited for multi-factor authentication, in combination with other factors, rather than as a standalone method.
One-time Passcodes (OTPs)
OTPs or One Time Passcodes are codes that are delivered by an app, token, or SMS message. They are most heavily used for multi-factor authentication in combination with a password and offer a higher level of security since the passcode can only be used once and is only valid for a certain timeframe. We now use OTPs often throughout our day-to-day activities with common applications, such as social media sites, online banking, and emails requiring that users enable OTPs for MFA.
The convenience of OTPs is that there is no need to remember and update long strings of characters because the code that is sent to your phone [or another device] is unique and auto-generated by the system. With OTPs, users receive a text or use a third-party authenticator app that loads a new OTP, meaning the one-time passcode is right in front of the user with no worry about having to remember a difficult string of characters.
The early perception of OTPs is that they would be difficult to steal, considering each code when requested is different and not static. However, cybercriminals have proven that perception wrong. But it is not the OTPs that are being hacked, but their delivery methods. Modern phishing techniques and SIM swapping allow hackers to have access to OTPs when texted to a user’s phone [via SMS]. It is not the end of the world for OTPs though as cyber experts have recommended using the app or token options to receive OTPs.
Where passwords and PINs fall under the “something you know” category, secure smart cards fall under the “something you have” category. Having a multi-factor authentication solution that utilizes smart cards is safe from remote hacking and phishing attacks because it requires an actual physical card to be present at the point of login. To some, this is more secure than utilizing a method that is “something you know”.
When employees started working from home, IT directors sought MFA options that reduced the risk of successful phishing attacks, and physical methods were often the solution they selected. Additionally, with contactless card technology widely available, a simple tap is all it takes for users to login, which can be convenient where users require quick access. Like other physical methods, however, cards are subject to being lost, stolen, or shared.
Like cards, hardware tokens are a physical method falling under the “something you have” category. The difference between tokens and cards is the physical shape and accessibility of a token. Tokens, for example, FIDO security keys, generally take a smaller form and have a wide variety of configurations, most commonly USB-A and USB-C. A USB token just needs to be plugged into a device while a wireless token only needs to be near a device to vouch for a user’s login. These tokens can bring multi-factor authentication to desktop and mobile channels with ease.
Yet again, like cards, tokens can be lost, stolen, and shared, and each time a user loses or has their token or card stolen, the organization must now pay a cost to replace the token and have the user register it all over again. Unfortunately, tokens also inhibit workflow and add a layer of friction for the user’s login as they often spend time searching for their token.
With cyberattacks becoming more prevalent, biometric authentication is referred to as one of the best practices for authentication security. Compared to the previous methods, biometric authentication falls under the “something you are” category, signifying that this authentication method verifies the user, not just their token or device. When users utilize other authentication methods, IT directors assume that those users are who they say they are, knowing there is room for uncertainty.
With biometrics, IT directors can be 100% sure that a person using their biometric to login is the person who was originally enrolled to do so. This is the core understanding of biometrics: a person can be accurately and uniquely identified by individual physical and behavioral traits. In recent years, biometrics has become a staple in the authentication sphere, and these innovations have become more accessible to the everyday consumer. For example, from fingerprint biometrics to facial recognition on cell phones, users have convenient alternatives to the ever-dreaded password or PIN.
Which methods will you use in 2022?
Authentication methods are constantly evolving, with new and improved methods being introduced. The approach, however, is one that needs to accommodate all users while protecting the organization from cyberattacks. While we can talk about how organizations need to move beyond passwords, organizations must also consider how to balance improving the user experience to improve user adoption while also improving security.
Implementing authentication methods that work with your users is easier said than done, and many organizations may have a hard time finding the right mix of authentication methods that works for them. Check out this in-depth MFA survey that determines how organizations manage security, authentication, and explores decision makers' attitudes toward various authentication methods including passwordless approaches and biometrics.