SecureAuth Named a Leader in KuppingerCole Leadership Compass Report for Customer Identity and Access Management

Identity 101: When “Good Enough” MFA Just Isn’t Good Enough

Mike Talon
October 03, 2017

Get the latest from the SecureAuth Blog

When looking at identity security solutions for your organization, you may find that many vendors offer native multi-factor authentication (MFA – also known as 2-factor authentication, or 2FA). When presented with the ability to do this by the app in question, why would you look at any other solutions? This is especially true when the product in question offers what seems to be “good enough” protection in the first place.

Having spent many years working with customers in high availability and disaster recovery, I ran into this all the time. We protected Windows systems for the most part and of course, Microsoft offers several tools and software platforms to perform this kind of function – from Windows backup and failover clustering to Azure backup and others. These tools were perceived as “good enough” to protect critical data systems and were included either for free or at much lower prices than the solutions I was offering; so many customers opted for the good enough solution at the lower cost – or no cost at all. As someone customers would turn to after a major outage, I can tell you from experience that is wasn’t good enough.

With identity security, the same holds true. Many vendors offer simple second-factor authentication as part of their applications, and it appears to be good enough to make sure unauthorized users don’t log in. Why would you look at third-party tools in these circumstances? Here are a few very good reasons:

Simple MFA is not enough

While using a second factor is better than nothing, it falls far short of being a complete identity security solution. Phones which receive SMS text messages can be stolen, and often have weak passcodes — if any at all. Phone service can be cloned and re-routed to a different device. End-users have been over-acclimated to accepting requests that pop-up on their phones, so MFA apps might not be the best solution when used alone.

You need to analyze the behavior of those trying to log in:

  • Are they logging in outside of normal business hours, or in a different physical location than they should be, or attempting to access resources they are not authorized to use?
  • Are they coming in via a phone number recently ported to a new device, or attempting to log in from a TOR network or other location-obscuring service?
  • Even more unsettling, how can you ensure that credentials which have been compromised cannot be used to access other services?

MFA alone cannot detect these anomalies, but they are critical to determining who should be allowed to get in and who should not.

All your eggs in one basket is bad

Things in the technology world, and especially legacy technologies, have a habit of clumping together. We tend to put everything on one hypervisor, or one cloud platform, and while this makes administration much easier, it also makes an attack much easier to perpetrate. If both your identity security system and your critical data/applications are managed by the same provider, then attacking the provider will grant access to everything – a nightmare scenario.

You need to separate the system that grants access from the platform being accessed so that a successful attack on one segment of the ecosystem cannot allow an attacker to gain access to other segments. By using a third-party platform for a key access area, such as identity security, you prevent an attack against the underlying platform from opening the door to everything. The attacker might be able to gain access to your service provider, but won’t be able to access your services.

We are spreading out rapidly – to SaaS apps mostly

While legacy technologies tend to form clumps around specific platforms and providers, things are changing fast. Today, it isn’t uncommon to see one organization using resources from multiple SaaS platforms, multiple cloud providers, and multiple hypervisors. Here, a MFA-only system that is tied to one of those platforms leaves all the others wide open. Your choice is to either manage multiple MFA platforms – one for each service or app – or leverage an independent toolset.

Having a third-party identity security system that is vendor-neutral and based on open standards will make securing user credentials across all platforms and vendors much easier to manage.

  • First, user access can be managed centrally – including protecting the administrative accounts that do that management.
  • Secondly, end-users get a central location for self-service or assistance, which is not dependent on the support contract with a given vendor.
  • Additionally, with adaptive methods of authentication a compromise of credentials from one site can be effectively contained (and platform managers immediately alerted), and other credentials for that site aren’t in danger.

As you can see, the basic tools provided for free or at low cost as part of these first-party platforms aren’t actually good enough for the modern business. With legacy systems clumped together, newer platforms spread apart, and the relative ease which attackers seem to have defeating basic MFA solutions, you need to look at better solutions for identity security. Working with a vendor – like SecureAuth IAM – that can provide a robust and thorough adaptive authentication platform that is vendor-neutral will keep your organization safe, and your end-users happy.


Related Stories

Pin It on Pinterest

Share This