The Value of Deploying Multi-Factor Authentication in a Digital World
In today’s highly distributed digital world, it is imperative organizations utilize multi-factor authentication (MFA) to minimize risk and eliminate threat vectors. By improving identity security with MFA, organizations can better protect intellectual property, systems, applications, data, and the privacy of users.
The Risk is Real
The Identity Theft Resource Center identified in their Annual Data Breach Report for 2020 the following:
- 1,108 total data breaches occurred with 144,757,076 individuals impacted
- 107 data exposures with 155,805,443 individuals impacted
- 878 cyber-attacks reported with 169,575338 individuals impacted
- Business Email Compromise (BEC) attacks cost companies more than $1.8B in 2019 – the average loss grew 48% in the first quarters of 2020
- 44% of cyber-attacks were the result of Phishing/Smishing/BEC attacks
- The average ransomware payout was > $233,000 per event in Q4 2020 compared to > $10,000 in Q3 2018
- Do not reuse passwords – one unique password per account
- Use Multi-factor Authentication (MFA) when possible
- Use a password manager if needed
- Upgrade to a passphrase that is at least 12 characters long
- Consider creating online accounts so cybercriminals cannot create one in your name
It is a critical element in the relationship between an enterprise and their users – workforce, suppliers, contractors, and customers. Organizations must both enable and protect users whenever they access resources without introducing unnecessary friction. Ultimately the goal of the business is to drive productivity, efficiency, and commerce. As organizations continue to invest in digital initiatives to improve customer centricity, increase enterprise speed and agility, and accelerate workforce transformation – the IT Security and Identity and Access Management teams must incorporate modern methods to verify identity and authenticate users beyond simple user-name + password. It’s time to enable multi-factor authentication across the enterprise.
This document is intended to serve as a guide for IT Leaders and Security Professionals interested in gaining insight to the value and advantages of deploying Multi-factor Authentication as part of an Access Management program.
Passwords Are No Longer Enough
The main challenge with passwords is human behavior. Your users become the weakest link in your security posture when relying only on user-name + password. In our 2020 State of Identity Report, we captured very compelling data from over 2000 respondents with respect to their security and privacy habits. Among those who are using the same password for more than one account, most are using it across 3-7 accounts (62%) and 10% say they are using the same password across 10+ accounts. This behavior creates tremendous risk for each and every account.
The bottom line is your users like their passwords. In fact, they like them so much that they use them everywhere. And what we mean by “everywhere” is that they use the same password over and over. And the basic reason why is it’s easy and convenient. In the Identity report, we discovered that in the workplace 34% of people in leadership positions admit to using one of the top 10 most common passwords – ABC123, Qwerty, 123123, Admin, etc., to access business resources. This type of password behavior within an enterprise organization creates substantial risk by making it much easier for cyber-criminals to compromise an account. To overcome this type of poor password behavior, SecureAuth advises organizations and their security teams to deploy Multi-factor Authentication to protect resources and secure every user.
Identity security is critical for every organization. It is a cornerstone of a Zero Trust security approach. The enterprise perimeter is not what it used to be. Work from Home, Cloud services and SaaS applications have dramatically shifted how businesses operate in today’s digital economy. Organizations across every industry are now using public cloud (GPC, AWS, or Azure) for a host of services and utilizing SaaS applications to run the business. In many cases, complex legacy applications within enterprise organizations are still running on-premises and most likely will never move to the cloud. Ensuring users requesting access to resources, no matter where they reside, are actually the person they claim to be requires a robust identity security approach leveraging Multi-factor Authentication to protect and secure the new enterprise perimeter.
The Need for Strong User Verification
More businesses employ virtual, remote and contract workers than ever before. Gartner projects through 2024, remote workers will represent 30% of all employees worldwide representing an increase of 13% over 2019 to nearly 600 million employees. Gartner also projects that by the end of 2024, the change in the nature of work will increase the total available remote worker market to 60% of all employees, up from 52% in 2020 (source: Forecast Analysis: Remote Workers Forecast, Worldwide – Aug. 21, 2020). These changes are impacting organizational boundaries driving the need for efficient, dynamic collaboration and shared access to key business systems. SecureAuth believes multi-factor authentication should be a requirement across the workforce, as well as for external contributors like partners or contractors, in order to securely enable users to access applications and other valuable resources from anywhere. With an evolving workplace landscape and changing user expectations, the need for simple, effective, and secure access is more important now than ever before.
The network infrastructure for most enterprise organization has grown increasingly complex. IT teams are now managing several internal networks, satellite offices, remote employees, and cloud services. This new enterprise ecosystem has outgrown traditional methods of perimeter-based network security because there is no single, easily identified perimeter for the enterprise.
This evolution has brought on increased interest and deployment of a Zero Trust
A Zero Trust approach is built on the assumption that the network is hostile and that an enterprise-owned network infrastructure is no more secure than any nonenterprise owned network. And so IT security leaders must continuously analyze and evaluate potential risk and respond appropriately to mitigate these risks. At SecureAuth, we believe Identity Security is a crucial component to implementing an effective Zero Trust security model. And we strongly advocate the use of multifactor authentication to effectively enable secure access to resources for only those who are validated as needing access by verifying the identity and security posture for each access request.
Multi-factor Authentication & Disruption
We often hear the following statement from both business and IT folks – “my users can’t be bothered with additional steps to access resources they need to do their jobs.” We agree. That’s why you need a flexible identity and access management service that enables customizable workflows based on users, user groups, applications, and systems.
You need the ability to align the risk thresholds you’ve defined for your resources and then map the users’ journey accordingly to securely access those resources. You may decide MFA is not required for certain resources. Or perhaps MFA will only be required if something appears out of the ordinary. The flexibility to embrace a prescriptive approach and deploy very simple or quite complex workflows depending on the applicable resource removes the “all or nothing mentality” many organizations perceive with respect to MFA.
Types of Authentication factors
Three types of authentication factors are commonly used by organizations to verify identity. Each of the factor types are unique and each provides a different level of assurance – i.e. the assurance level of a password is not as high as that of a fingerprint.
Following is a description of the three factors:
A knowledge-based factor
is something the user knows, such as a password, a PIN (personal identification number) or some other type of shared secret.
A possession-based factor
is something the user has, such as an ID card, a security token, a cellphone, a mobile device or a smartphone app to approve authentication requests.
An inherence-based factor
is something the user is, unique unto themselves, such as a fingerprint or facial recognition.
It should be noted that two-factor authentication (2FA) is not the same as Multi-factor Authentication (MFA). The difference is finite but quite impactful. 2FA requires a user to produce to forms of verification but the issue is often organizations enable users to provide the same ‘type’ of verification. As an example, a user provides a password and the name of their childhood pet to successfully authenticate. In this example, both forms of identity provided are knowledge-based factors which a bad actor can easily acquire via social engineering attacks. On the other hand, with MFA two forms of verification are also required but the factors cannot be the same. In this case, a user can use their cellphone (a possession-based factor) together with a biometric fingerprint (an inherence-based factor) to verify their identity and successfully authenticate. Security is significantly stronger using the MFA model as it is much more difficult for a bad actor to gain possession of either or both factors in order to compromise an account. This important difference is why SecureAuth is a strong
proponent of MFA.
At SecureAuth, we would challenge the belief that MFA creates an unnecessary user disruption. The user experience is of paramount importance to all of us. SecureAuth understands the challenges of ensuring your user community can access resources, engage with systems, and collaborate with peers in a fast and easy manner. Users deserve and expect a great experience without any compromise to security. We believe the perception that MFA is disruptive stems from how organizations have historically deployed it with respect to the user journey and the authentication process. As with any new process or technology, the challenge is to minimally interfere with employee productivity. If MFA is too disruptive users won’t tolerate it, and overall adoption will be slow at best. For this reason, SecureAuth advises training be delivered to users as well as support teams a long with consistent communication to keep everyone “in the loop” to eliminate obstacles and ensure success.
to be prompted for MFA each time they log in.
Is Visible or Invisible MFA Better for You?
This could be construed as a trick question. Why? Because both forms of MFA are good for you. We advise organizations to identify which is better based on specific use cases and the organization’s established risk threshold for their resources. The user experience must also be factored into the equation to ensure the MFA policy deployed supports the desired user journey and aligns to business objectives.
Here’s an example: an employee working at the corporate HQ of a large enterprise organization arrives at work and connects to the WiFi network. Her machine is immediately recognized and after only entering her username she successfully logs into the corporate network. She has specific entitlements created by the security team and uses the company’s SSO portal to access applications. The employee realizes she needs a ‘calculator app’ and navigates to the SSO portal to access the app – the app is not business critical to the enterprise and the risk threshold is deemed as low. The employee encounters no disruption and uses the app and exits without issue.
The same associate experienced visible and invisible MFA during her workday. The access management solution her enterprise organization has in place provides the flexibility the security team needs to create unique workflows (i.e. user journeys) based on the resources being accessed. The solution also provides a great user experience by allowing the user to select the MFA option she prefers – in this case a TOTP passcode via a mobile authenticator rather than receiving an email or SMS text
Visible vs. Invisible MFA
Invisible MFA is a form of multi-factor authentication that leverages a user’s historical data as well as silently collecting real-time data at the point of login to verify identity prior to granting access. Invisible MFA is also known as contextual or adaptive authentication.
Visible MFA is a form of multi-factor authentication that actively engages the user and requests input from the user to verify identity. An example is a website that requests username + password and then sends an email with a 6-digit code the user must input to gain access.
Gartner: Market Guide for User Authentication, June 26, 2020
Types of Authentication factors
SecureAuth advises the following when preparing for and deploying multi-factor authentication:
- Follow the C.A.R.E. standard for cybersecurity controls to ensure that user authentication is consistent, adequate, reasonable and effective
- Implement One-time Passwords (OTP and mobile push modes based on a smartphone app like SecureAuth Authenticate to provide strong security
- Use smartphone apps like SecureAuth Authenticate as a source of signals and analytics to enable adaptive authentication capabilities
- Implement or put on the IAM roadmap utilizing an adaptive access approach to enable users to skip unnecessary authentication steps in low-risk situations.
- Clearly define infrastructure, user experience, and risk tolerance levels when implementing multi-factor authentication workflows
- Enable multi-factor authentication on your endpoint devices running Windows, macOS, & Linux
- Consider enabling passwordless MFA via a mobile authenticator, like SecureAuth Authenticate, by leveraging a local PIN or a biometric authentication to achieve passwordless access
- Partner with a vendor like SecureAuth that can provide multiple MFA options to support your most challenging use cases so your entire community of users are protected with MFA
How Do You Make Employees Love MFA
Which employees are we referring to? We believe multi-factor authentication provides value to multiple entities within a business. In fact, MFA delivers value throughout an organization by supporting business objectives, lowering risk, improving experience, protecting brand, and lowering costs.
Your help desk team will love the addition of MFA because it will drastically reduce the number of help desk tickets created by the user community. If users are leveraging their mobile phone (something you have) along with a biometric fingerprint scan (something you are) for authentication, then none of these users are going to “forget” their password. The help desk team gets time back to work on other, higher priority issues rather than logging into a console to execute password resets. With respect to password resets – your identity and access management service should enable self-service resets to allow users to efficiently manage the process on their own. This functionality is a win-win as both the user and the help desk team benefits.
Security leaders will love MFA because it ensures their teams are able to effectively do their jobs day-in and day-out with little to know friction. Knowing that only the right people under the appropriate conditions can gain access to valuable data protects the brand, intellectual property, applications, systems, and users.
Your users will love MFA because you’ve taken the appropriate steps to train them and explain how & why MFA is being utilized across the business. They will understand the importance of security and know it is a differentiator for the business. They will appreciate the ability to self-enroll and select the MFA methods of their choice that work best for them and their circumstances. They will love the fact that they can use the SecureAuth Authenticate mobile app authenticator to secure their personal bank, email and other such accounts along with business resources. And they will love that their company is deploying resources that will not only help secure the business but also protect their own personal privacy and data.
As technology continues to advance, so to will the methods cybercriminals use to execute attacks on users and systems. To mitigate risk due to the increasing threat of cyber-attacks, many businesses are putting a priority on appropriately protecting their systems and data. One simple and yet extremely effective method from SecureAuth’s perspective for protecting valuable resources as well as a business’ reputation is to enable multi-factor authentication as part of your identity and access management security practice.
Types of Authentication factors
Organizations both large and small in every industry are investing in digital initiatives to adapt and pivot business models to improve customer centricity, increase enterprise speed and agility, and accelerate workforce transformation. These strategic initiatives are essential for an organization to improve competitive advantage and customer experience. We recommend members of the IT security team have a seat at the table for every project to ensure security is not an afterthought and is thoughtfully integrated as part of the planning process. As noted previously, the risk is real and threat actors will not stop searching for vulnerabilities they can exploit to compromise an organization.
Organizations need to implement effective information security and resiliency practices for zero trust to be effective. In a Zero Trust model, these protections involve minimizing access to resources to only those who are validated as needing access and continuously authenticating the identity and security posture of each access request. Implementing multi-factor authentication is a logical step to increasing identity security and serves as a cornerstone to a zero trust framework.
Trust is truly a differentiator in today’s business world and a critical ingredient in the relationship between an organization and its users. The ability for your business to confidently grant access to the right users at the right time without unnecessary friction is paramount to the operations of the business, the retention of customers, and the overall growth of the business. SecureAuth identity security featuring multiple MFA options is the access management solution to help you gain that trust.
NIST Best Practices
Many are very familiar with the National Institute of Standards and Technology (NIST) and have more than likely utilized their recommendations to accelerate cybersecurity programs. For those unaware, NIST is a physical sciences laboratory and a non-regulatory agency of the United States Department of Commerce founded in 1901. Their mission is to promote innovation and industrial competitiveness.
NIST created the Framework for Improving Critical Infrastructure Cybersecurity to enable organizations – regardless of size, degree of cybersecurity risk, or cybersecurity sophistication – to apply the principles and best practices of risk management to improve the security and resilience of critical infrastructure. The Framework includes five functional areas to organize cybersecurity activities at their highest level:
1) Identify, 2) Protect, 3) Detect, 4) Respond, 5) Recover
NIST addresses Multi-factor Authentication within the “Protect” section of their Framework for Improving Critical Infrastructure Cybersecurity publication. MFA appears in the Identity Management, Authentication and Access Control section – and specifically in sub-category PRAC-7. PRAC-7 states: Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks).
We include this brief section about NIST because SecureAuth firmly believes in the Framework and advises as a best practice for organizations to utilize Multi-factor Authentication to deliver a secure and resilient infrastructure.
Learn more about the Framework: https://www.nist.gov/cyberframework
Types of Authentication factors
Consider your overall security posture and assess if your access management capabilities map to your strategic initiatives and business objectives. Is the user experience creating challenges that impact your objectives? Can the security team create workflows specific to users and resources? Will your current solution support your needs in 3-5 years from now?
Contact SecureAuth to learn more and understand ”the possible” for your organization related to Identity Security, Multi-factor Authentication, Adaptive Authentication, Passwordless, and Continuous Authentication.
How MFA Protects You
Common cyber-attacks utilized by bad actors to acquire basic username + password information:
Often disguised as a trusted organization, the attacker delivers a message to a list of phone numbers or email addresses, usually with a call to action which requires login information and a fake website where the user is expected to provide that information
This is similar to phishing, but it is targeted at a specific group of people using personalized messages. Hackers may glean information from social media accounts or other sources to personalize these messages and make them appear more trustworthy.
The attacker relies on the user repeating usernames and passwords to log into their applications and sites. They attempt to use one set of stolen credentials to gain access to additional sites and programs.
Brute Force and Counter Brute Force Attack
The attacker uses software to rapidly test a variety of common credentials (e.g., Password123) in an attempt to gain access to sites and applications.
The attacker installs a program (usually a virus) that captures keystrokes from the user’s computer, including passwords, sites visited, and usernames.
The attacker accesses a user’s connection to another party, then either observe the interaction or redirects the connection to a fake site where the user will enter their login information.
NIST Cybersecurity Framework
NIST defines Authentication in this way: Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system.
Below is an outline of the Cybersecurity Framework by NIST.
SecureAuth is an identity security company that enables the most secure and flexible authentication experience for employees, partners and customers. Delivered as a service and deployed across cloud, hybrid and on-premises environments, SecureAuth manages and protects access to applications, systems and data at scale, anywhere in the world. The company provides the tools to build identity security into new and existing applications and workflows without impacting user experience or engagement, resulting in increased productivity and reduced risk.
SecureAuth brings together multi-factor authentication, risk-based adaptive authentication, single sign-on and user self-service in a highly flexible, standards based SaaS service. With SecureAuth, you can deliver a unified and low-friction user experience that provides strong access control for all your user identities. We enable the ability to customize each authentication experience to the exact right combination of security and usability, so you can effectively meet the requirements of each of your use cases. Flexible deployment options mean you can build secure access for your business, your way. Improve business delivery and gain a competitive advantage with the SecureAuth access management.