Interview with an Expert: Andy Osburn on Multi-Factor Authentication

February 11, 2016

Earlier this week we shared with you all of the reasons that you needed multi-factor authentication for your organization. However, we didn’t realize the number of questions that were still out there about this new technology and were thrilled to have so many comments and conversations around this topic. In an effort to share these conversations with the rest of the world, we have invited our multi-factor authentication expert, Mr. Andy Osburn, to sit down with us and answer some of these burning questions.

Courion Corporation: Multi-factor authentication is a mouthful- what does this really mean and why is it so important?

Andy Osburn:Multi-factor authentication is really about moving beyond the simple standard of authentication that is in place today in the form of Passwords and PINS. Each of us in our everyday lives would be familiar with the many resources we access by claiming our identity through a user name and then authenticating by Password or PIN. This basic method of identity claim and authentication has provided the foundation for providing access control over the years, however, our environments have changed, become more complex and risk-critical as a result. The threats and consequences of resource compromise are now much higher and more significant. Hence, the requirement for, and movement towards, stronger and more convenient methods of authentication beyond passwords and PINS.

CC: How is this more secure than a pin number?

AO:A PIN is a single-factor of authentication and, when used alone, is also a single point of failure and compromise. By lengthening a PIN from 4 digits to 6 digits, conceivably they are more difficult to compromise through brute force attacks. However, when someone writes their PIN on a sticky note, or responds to a phishing email, or through some other method unwittingly gives up there PIN then it doesn’t matter how long the PIN is because the probability of compromise is now 100%.

Through the addition of a second or third factor of authentication (One-time use PIN, biometric etc.) the authentication process is no longer single point of failure and the hill that the identity thief now has to climb is significantly steeper. Now not only is a PIN or Password compromise required, but a biometric sample or out-of-band authentication path needs to be broken and compromised as well. The path to attacking and compromising a knowledge-based credential is now extended across multiple channels and multiple components and is therefore fundamentally much stronger and more difficult to compromise.

CC: What do you need to set up a multi-factor authentication solution in your business?

AO:A multi-factor solution conversation always begins with questions around what the organization is doing today to authenticate users across a number of different channels and where the opportunities lie in identifying additional appropriate authentication factors. The good news is that there are many options available today in terms of adding multi-factor authentication to both existing and new authentication methods. So the step-by-step process is to review what’s being done today, identify the points of greatest risk and remediation, consider the options for additional authentication factors and then develop the solution that matches the security and user convenience needs of the organization. Typically what we will see and do is augment an existing knowledge based authentication process with an additional factor of authentication so that the user experience is not radically changed but rather enhanced.

CC: Are there industries that would benefit more than others from this technology?

AO:I would suggest that there is no single industry vertical that should not be looking at multi-factor authentication. The access control risks span all industries and the consequences of compromise are equally broad. Having said that, due to regulatory, audit and control requirements, I would suggest that Financial Services and Health Care are those most acutely impacted by the need to have strong multi-factor authentication available to their end users.

CC: I can now sign into my iPhone with my thumbprint, are biometrics the new wave and how do they fit into multi-factor authentication?

AO:Biometrics are definitely on a roll within the industry due in large part to the ubiquity of the new generation of smart phone devices. The ease of use and accessibility of the fingerprint scanners on these devices has paved the way for overwhelming adoption and usage of these methods. As a result, biometrics, that have been in the industry for decades but seen relatively modest adoption, are now poised to benefit from a significant uptick in usage and applicability. That is very good news for organizations like Courion that are using these authentication methods as an integrated part of a mobile authentication strategy.

A big thank you to Andy for taking the time to meet with us today. Do you want to see mobile password authentication in action? Check out our demo here. Want to know how Courion's solutions work to deter risks and manage down the threat surface in your organization? Contact us or download our on-demand demo for more information.


Ready for a Demo?

Eliminate identity-related breaches with SecureAuth!