Next time you sit down to enjoy your morning coffee at your desk, challenge yourself to count how many authentication requests you receive from various apps, devices, and systems throughout the working day.
Enterprises’ solution to the rising threat of identity-related attacks has been implementing multi-factor authentication (MFA) to protect users. However, savvy attackers have evolved their approach by exploiting multi-factor authentication fatigue, which relies on spamming victims with authentication prompts to gain unauthorized access.
However, identity technology advances can help enterprises move away from relying on MFA alone and finally rid themselves of password usage once and for all.
Enterprises’ MFA challenges
The methods that cybercriminals use to attack MFA have existed for decades but have evolved in sophistication in the last few decades. However, MFA security methodologies have mostly stayed the same in the previous five or six years.
As a result, MFA approaches typically lack context, and even advanced strategies like biometrics can be spoofed. They also use inconsistent methodologies, which means different user experiences and no context sharing from one app to another.
Enterprises are facing MFA challenges on two primary fronts:
MFA Front 1: User Experience
Most MFA systems offer poor user experience, but enterprises have been dealing with it for so long that they no longer realize it. For example, if you unlocked your cellphone and it requested an authentication every time you opened an app, you’d probably change your carrier or phone brand very quickly. However, this same user experience hasn’t translated to enterprise workstations.
The typical user still has to log into various apps, devices, and systems around 16 times daily. And the more authentication requests a user has to provide, the more susceptible they are to credential theft, phishing, and Man-in- the-Middle attacks (MiTM).
MFA Front 2: Poor Security
Enterprises are increasingly deploying artificial intelligence and machine learning to assess user behavior when they authenticate. However, these checks are typically far too infrequent. For example, if an employee works at home on their desktop and moves to their local café on a laptop, the authentication journey has changed. But a standard 48-hour check process is unlikely to pick the adjustment up quickly enough.
Fortify Your MFA With Military Might
Next-generation authentication processes take enterprises into continuous and intelligent MFA. This advanced approach uses authentication as a backbone across the entire enterprise and understands know when to send push requests and, just as importantly, when not to.
However, MFA alone isn’t the solution to enterprises’ identity security pain; they need an entire arsenal of approaches to harden their ever-expanding perimeter. This begins with a passwordless continuous authentication process that simplifies audits, user experience, and policy creation, eliminates passwords, and enables hack-proof MFA. The passwordless continuous authentication process relies on:
Users usually only verify their identity when they receive a push request at run-time. But risk engines provide patented AI and machine learning peer-based algorithms to ensure the most accurate, real-time risk scores.
Risk engines enable enterprises to monitor hundreds of variables, from peer group behavioral modeling to time and location, to constantly assess whether access attempts are legitimate. Risk engines can also connect to existing threat intelligence solutions, such as Identity Governance and Administration (IGA), Privileged Access Management (PAM), Security Information and Event Management (SIEM), and User and Entity Behavior Analytics (UEBA), to enhance risk analysis and improve security posture.
Device trust merges users’ mobile, desktop, laptop, server, and authentication experience into a unified approach. This option is rapid, secure, and simple, ensuring a great user experience and ensures detailed audit trails and lock-out features across any device.
Starting the authentication process with device trust ensures transparency into how risk is measured. So every business needs to consider utilizing device trust to secure users at the start of their day.
Universal Authentication Fabric (UAF)
The holy grail of identity security is ensuring that users never need to remember or use a password again. Therefore, rather than the multiple authentication requests you counted since drinking that morning coffee, UAF ensures that first login is the only time you have to authenticate yourself all day.
UAF shares or combines a user’s authentication journey with previously disconnected systems, such as desktop apps, PAM, SSO, virtual desktop infrastructure, virtual private networks, workstation logins, and more. It reduces the number of MFA prompts across all apps, devices, and systems and can bring even privileged users down to just three or four MFA pushes per day.
Fight MFA Fatigue With Passwordless Experiences
In an ideal world, a user logs into their workstation, authenticates themselves, and never has to do so again all day. User assurance needs to be evaluated on behavioral analytics, user and app privileges, and the current business, environment, and threat context. If their level of assurance is high, there’s no need to push an MFA request. But if it’s low, the system needs to provide some friction.
The assurance level needs to be continuously assessed to re-evaluate that the user is who they say they are in real-time. This approach will empower enterprises to push a request or terminate a session as soon as they notice unusual behavior.
Enterprises can take the fight back to cyber criminals with technologies that enhance user experience and stiffen security. Continuous password authentication ensures only the right users have the right level of access at the right time. And this is crucial to making the dream of one daily login per user an immediate reality.
About the Author: Donovan brings more than 20 years’ experience in the IAM space as a practitioner, product developer, and strategist. Fortune 1000 organizations depend on his leadership to help them choose the right solution for their identity security needs. As Director of Solutions Engineering, Mr. Blaylock manages the technical sales and engineering team to best demonstrate the innovation and differentiators of SecureAuth’s passwordless continuous authentication platform. He’s also a veteran technology speaker who inspires audiences around the globe with the latest thought leadership topics and security trends. Before joining SecureAuth, Donovan was the Chief Technology Evangelist and Healthcare Strategy Lead at SailPoint for seven years. He was also the lead consultant at Trace 3’s IAM practice.