New SecureAuth Release Enables Enterprises to Adapt to Today’s Digital-First, Post-Pandemic Environment

White Paper

The Value of Deploying Multi-Factor Authentication in a Digital World

In today’s highly distributed digital world, it is imperative organizations utilize multi-factor authentication (MFA) to minimize risk and eliminate threat vectors. By improving identity security with MFA, organizations can better protect intellectual property, systems, applications, data, and the privacy of users.

Contents

The Risk is Real
Passwords are no longer enough
The Need for Strong User Verification
Multi-factor Authentication & Disruption
Is Visible or Invisible MFA Better for You?
How Do You Make Employees Love MFA?
Conclusions
Appendix

The Risk is Real

The Identity Theft Resource Center identified in their Annual Data Breach Report for 2020 the following:

  • 1,108 total data breaches occurred with 144,757,076 individuals impacted
  • 107 data exposures with 155,805,443 individuals impacted
  • 878 cyber-attacks reported with 169,575338 individuals impacted
  • Business Email Compromise (BEC) attacks cost companies more than $1.8B in 2019 – the average loss grew 48% in the first quarters of 2020
  • 44% of cyber-attacks were the result of Phishing/Smishing/BEC attacks
  • The average ransomware payout was > $233,000 per event in Q4 2020 compared to > $10,000 in Q3 2018
A compelling statistic in the report is that nearly half of all successful cyber-attacks were the result of bad actors successfully manipulating a user to voluntarily provide their credentials. These social engineering attacks are not new. But victims continue to succumb to the attacks year after year costing businesses millions of dollars as well as damaging brands and reputations. With respect to stolen credentials, the Identity Theft Resource Center recommends the following:
  • Do not reuse passwords – one unique password per account
  • Use Multi-factor Authentication (MFA) when possible
  • Use a password manager if needed
  • Upgrade to a passphrase that is at least 12 characters long
  • Consider creating online accounts so cybercriminals cannot create one in your name
We agree that each of these recommendations has merit. But multi-factor authentication stands out in our view as the strongest. SecureAuth advises security leaders to deploy MFA and move beyond simple username + password credentials for user identity verification. Whatever resources an organization is protecting from portals to applications, the need for enabling multi-factor authentication to secure valuable resources is a must.
1,108 total data breaches occurred with 144,757,076 individuals impacted
Teams must incorporate modern methods to verify identity and authenticate users beyond simple user-name + password.

Garnering Trust

It is a critical element in the relationship between an enterprise and their users – workforce, suppliers, contractors, and customers. Organizations must both enable and protect users whenever they access resources without introducing unnecessary friction. Ultimately the goal of the business is to drive productivity, efficiency, and commerce. As organizations continue to invest in digital initiatives to improve customer centricity, increase enterprise speed and agility, and accelerate workforce transformation – the IT Security and Identity and Access Management teams must incorporate modern methods to verify identity and authenticate users beyond simple user-name + password. It’s time to enable multi-factor authentication across the enterprise.

This document is intended to serve as a guide for IT Leaders and Security Professionals interested in gaining insight to the value and advantages of deploying Multi-factor Authentication as part of an Access Management program.


Passwords Are No Longer Enough

The main challenge with passwords is human behavior. Your users become the weakest link in your security posture when relying only on user-name + password. In our 2020 State of Identity Report, we captured very compelling data from over 2000 respondents with respect to their security and privacy habits. Among those who are using the same password for more than one account, most are using it across 3-7 accounts (62%) and 10% say they are using the same password across 10+ accounts. This behavior creates tremendous risk for each and every account.

The bottom line is your users like their passwords. In fact, they like them so much that they use them everywhere. And what we mean by “everywhere” is that they use the same password over and over. And the basic reason why is it’s easy and convenient. In the Identity report, we discovered that in the workplace 34% of people in leadership positions admit to using one of the top 10 most common passwords – ABC123, Qwerty, 123123, Admin, etc., to access business resources. This type of password behavior within an enterprise organization creates substantial risk by making it much easier for cyber-criminals to compromise an account. To overcome this type of poor password behavior, SecureAuth advises organizations and their security teams to deploy Multi-factor Authentication to protect resources and secure every user.

Identity security is critical for every organization. It is a cornerstone of a Zero Trust security approach. The enterprise perimeter is not what it used to be. Work from Home, Cloud services and SaaS applications have dramatically shifted how businesses operate in today’s digital economy. Organizations across every industry are now using public cloud (GPC, AWS, or Azure) for a host of services and utilizing SaaS applications to run the business. In many cases, complex legacy applications within enterprise organizations are still running on-premises and most likely will never move to the cloud. Ensuring users requesting access to resources, no matter where they reside, are actually the person they claim to be requires a robust identity security approach leveraging Multi-factor Authentication to protect and secure the new enterprise perimeter.

34% of employed people in a director level + role admit to having used one of the most common passwords.
Some of the Most Popular Passwords

The Need for Strong User Verification

More businesses employ virtual, remote and contract workers than ever before. Gartner projects through 2024, remote workers will represent 30% of all employees worldwide representing an increase of 13% over 2019 to nearly 600 million employees. Gartner also projects that by the end of 2024, the change in the nature of work will increase the total available remote worker market to 60% of all employees, up from 52% in 2020 (source: Forecast Analysis: Remote Workers Forecast, Worldwide – Aug. 21, 2020). These changes are impacting organizational boundaries driving the need for efficient, dynamic collaboration and shared access to key business systems. SecureAuth believes multi-factor authentication should be a requirement across the workforce, as well as for external contributors like partners or contractors, in order to securely enable users to access applications and other valuable resources from anywhere. With an evolving workplace landscape and changing user expectations, the need for simple, effective, and secure access is more important now than ever before.

Zero Trust

The network infrastructure for most enterprise organization has grown increasingly complex. IT teams are now managing several internal networks, satellite offices, remote employees, and cloud services. This new enterprise ecosystem has outgrown traditional methods of perimeter-based network security because there is no single, easily identified perimeter for the enterprise.
This evolution has brought on increased interest and deployment of a Zero Trust
security approach.

A Zero Trust approach is built on the assumption that the network is hostile and that an enterprise-owned network infrastructure is no more secure than any nonenterprise owned network. And so IT security leaders must continuously analyze and evaluate potential risk and respond appropriately to mitigate these risks. At SecureAuth, we believe Identity Security is a crucial component to implementing an effective Zero Trust security model. And we strongly advocate the use of multifactor authentication to effectively enable secure access to resources for only those who are validated as needing access by verifying the identity and security posture for each access request.

At SecureAuth, we believe Identity Security is a crucial component to implementing an effective Zero Trust security model.

Multi-factor Authentication & Disruption

We often hear the following statement from both business and IT folks – “my users can’t be bothered with additional steps to access resources they need to do their jobs.” We agree. That’s why you need a flexible identity and access management service that enables customizable workflows based on users, user groups, applications, and systems.

You need the ability to align the risk thresholds you’ve defined for your resources and then map the users’ journey accordingly to securely access those resources. You may decide MFA is not required for certain resources. Or perhaps MFA will only be required if something appears out of the ordinary. The flexibility to embrace a prescriptive approach and deploy very simple or quite complex workflows depending on the applicable resource removes the “all or nothing mentality” many organizations perceive with respect to MFA.

Types of Authentication factors

Three types of authentication factors are commonly used by organizations to verify identity. Each of the factor types are unique and each provides a different level of assurance – i.e. the assurance level of a password is not as high as that of a fingerprint.

Following is a description of the three factors:

A knowledge-based factor

is something the user knows, such as a password, a PIN (personal identification number) or some other type of shared secret.

A possession-based factor

is something the user has, such as an ID card, a security token, a cellphone, a mobile device or a smartphone app to approve authentication requests.

An inherence-based factor

is something the user is, unique unto themselves, such as a fingerprint or facial recognition.

These factors are utilized by users to gain access to resources such as portals or applications. The conditions in which these factors are deployed and permitted to be used by the user community is typically defined by line of business owners, IT security, and Identity and Access Management practitioners.

It should be noted that two-factor authentication (2FA) is not the same as Multi-factor Authentication (MFA). The difference is finite but quite impactful. 2FA requires a user to produce to forms of verification but the issue is often organizations enable users to provide the same ‘type’ of verification. As an example, a user provides a password and the name of their childhood pet to successfully authenticate. In this example, both forms of identity provided are knowledge-based factors which a bad actor can easily acquire via social engineering attacks. On the other hand, with MFA two forms of verification are also required but the factors cannot be the same. In this case, a user can use their cellphone (a possession-based factor) together with a biometric fingerprint (an inherence-based factor) to verify their identity and successfully authenticate. Security is significantly stronger using the MFA model as it is much more difficult for a bad actor to gain possession of either or both factors in order to compromise an account. This important difference is why SecureAuth is a strong
proponent of MFA.

Authentication Options Improve Security

Frictionless MFA

At SecureAuth, we would challenge the belief that MFA creates an unnecessary user disruption. The user experience is of paramount importance to all of us. SecureAuth understands the challenges of ensuring your user community can access resources, engage with systems, and collaborate with peers in a fast and easy manner. Users deserve and expect a great experience without any compromise to security. We believe the perception that MFA is disruptive stems from how organizations have historically deployed it with respect to the user journey and the authentication process. As with any new process or technology, the challenge is to minimally interfere with employee productivity. If MFA is too disruptive users won’t tolerate it, and overall adoption will be slow at best. For this reason, SecureAuth advises training be delivered to users as well as support teams a long with consistent communication to keep everyone “in the loop” to eliminate obstacles and ensure success.

Flexibility is a requirement for any MFA solution. In some cases, users don’t need
to be prompted for MFA each time they log in.
We all know there is no “silver bullet” when it comes to access control and security. That is why SecureAuth and our Innovation Labs team have focused diligently on developing the most robust MFA options available as part of our cloud identity and access management service. Our intuitive user interface enables admins to quickly create user journeys (workflows) with MFA that meet the security requirements of the business and the experience expectations of users. Flexibility is a requirement for any MFA solution. In some cases, users don’t need to be prompted for MFA each time they log in. We believe MFA should never be seen as an obstacle or hindrance by users. When done right, MFA can improve the user experience and eliminate the need for passwords creating an outstanding user experience with the strongest available identity security.

Is Visible or Invisible MFA Better for You?

This could be construed as a trick question. Why? Because both forms of MFA are good for you. We advise organizations to identify which is better based on specific use cases and the organization’s established risk threshold for their resources. The user experience must also be factored into the equation to ensure the MFA policy deployed supports the desired user journey and aligns to business objectives.

Here’s an example: an employee working at the corporate HQ of a large enterprise organization arrives at work and connects to the WiFi network. Her machine is immediately recognized and after only entering her username she successfully logs into the corporate network. She has specific entitlements created by the security team and uses the company’s SSO portal to access applications. The employee realizes she needs a ‘calculator app’ and navigates to the SSO portal to access the app – the app is not business critical to the enterprise and the risk threshold is deemed as low. The employee encounters no disruption and uses the app and exits without issue.

In the afternoon, the employee realizes she needs to access an HR app to approve a time-off request on behalf of her boss. The app is in the SSO portal but has a higher risk threshold and she hasn’t accessed the app for over 60 days. When she clicks to open the app, she is challenged to verify her identity. She enters her username + password for the app and next she is prompted to select a MFA option from a list including SMS, email, or a Timed One-time Passcode (TOTP). She selects TOTP and uses her SecureAuth Authenticate mobile app to retrieve the TOTP and enters it into the system. Her identity is verified and she proceeds to approve the timeoff request for the associate.

The same associate experienced visible and invisible MFA during her workday. The access management solution her enterprise organization has in place provides the flexibility the security team needs to create unique workflows (i.e. user journeys) based on the resources being accessed. The solution also provides a great user experience by allowing the user to select the MFA option she prefers – in this case a TOTP passcode via a mobile authenticator rather than receiving an email or SMS text

The app is not business critical to the enterprise and the risk threshold is deemed as low. The employee encounters no disruption and uses the app and exits without issue.

Visible vs. Invisible MFA

Invisible MFA is a form of multi-factor authentication that leverages a user’s historical data as well as silently collecting real-time data at the point of login to verify identity prior to granting access. Invisible MFA is also known as contextual or adaptive authentication.

Visible MFA is a form of multi-factor authentication that actively engages the user and requests input from the user to verify identity. An example is a website that requests username + password and then sends an email with a 6-digit code the user must input to gain access.

By 2023, 60% of large and global enterprises, and 80% of MSEs, will deploy MFA capabilities consolidated with AM or similar tools, which is an increase from 10% and 25%, respectively.

Gartner: Market Guide for User Authentication, June 26, 2020

The reality is that Visible versus Invisible MFA is and should be based on specific use cases. Security is paramount. No organization wants to be compromised by a bad actor and/or experience a breach and the exfiltration of valuable data. Developing a well thought out plan to ensure the right balance between security and user experience requires all the right folks are at the table. Line of business owners, marketing, security, IT, partner management, help desk services, application owners, users, and more should contribute to the planning to ensure an inclusive access management strategy with all stakeholders owning accountability. Security is not just an IT responsibility.

Types of Authentication factors

SecureAuth advises the following when preparing for and deploying multi-factor authentication:

  • Follow the C.A.R.E. standard for cybersecurity controls to ensure that user authentication is consistent, adequate, reasonable and effective
  • Implement One-time Passwords (OTP and mobile push modes based on a smartphone app like SecureAuth Authenticate to provide strong security
  • Use smartphone apps like SecureAuth Authenticate as a source of signals and analytics to enable adaptive authentication capabilities
  • Implement or put on the IAM roadmap utilizing an adaptive access approach to enable users to skip unnecessary authentication steps in low-risk situations.
  • Clearly define infrastructure, user experience, and risk tolerance levels when implementing multi-factor authentication workflows
  • Enable multi-factor authentication on your endpoint devices running Windows, macOS, & Linux
  • Consider enabling passwordless MFA via a mobile authenticator, like SecureAuth Authenticate, by leveraging a local PIN or a biometric authentication to achieve passwordless access
  • Partner with a vendor like SecureAuth that can provide multiple MFA options to support your most challenging use cases so your entire community of users are protected with MFA
Multi-factor authentication is not an all or nothing proposition. Organizations can start small by launching proof-of-concepts around MFA for a sub-set of users focused on only one app. Educate the help desk, train the users, communicate often, and prepare to pivot and adjust as needed. As things level out and adoption is good, add a second app or increase the number of users. Ask questions. Why are users not opting to receive an email notification? Should we lower or increase the risk threshold level for an application for a specific user segment? Access management is a journey that requires continuous attention and nurturing. Introducing multi-factor authentication, either invisible or visible, will absolutely improve security by eliminating risk due to exposure to phishing or credential stuffing attacks. And when mindfully designed and deployed it will create a better experience for the user.

How Do You Make Employees Love MFA

Which employees are we referring to? We believe multi-factor authentication provides value to multiple entities within a business. In fact, MFA delivers value throughout an organization by supporting business objectives, lowering risk, improving experience, protecting brand, and lowering costs.

Help Desk

Your help desk team will love the addition of MFA because it will drastically reduce the number of help desk tickets created by the user community. If users are leveraging their mobile phone (something you have) along with a biometric fingerprint scan (something you are) for authentication, then none of these users are going to “forget” their password. The help desk team gets time back to work on other, higher priority issues rather than logging into a console to execute password resets. With respect to password resets – your identity and access management service should enable self-service resets to allow users to efficiently manage the process on their own. This functionality is a win-win as both the user and the help desk team benefits.

Security Team

Security leaders will love MFA because it ensures their teams are able to effectively do their jobs day-in and day-out with little to know friction. Knowing that only the right people under the appropriate conditions can gain access to valuable data protects the brand, intellectual property, applications, systems, and users.

User Community

Your users will love MFA because you’ve taken the appropriate steps to train them and explain how & why MFA is being utilized across the business. They will understand the importance of security and know it is a differentiator for the business. They will appreciate the ability to self-enroll and select the MFA methods of their choice that work best for them and their circumstances. They will love the fact that they can use the SecureAuth Authenticate mobile app authenticator to secure their personal bank, email and other such accounts along with business resources. And they will love that their company is deploying resources that will not only help secure the business but also protect their own personal privacy and data.


Conclusions

As technology continues to advance, so to will the methods cybercriminals use to execute attacks on users and systems. To mitigate risk due to the increasing threat of cyber-attacks, many businesses are putting a priority on appropriately protecting their systems and data. One simple and yet extremely effective method from SecureAuth’s perspective for protecting valuable resources as well as a business’ reputation is to enable multi-factor authentication as part of your identity and access management security practice.

Types of Authentication factors

Organizations both large and small in every industry are investing in digital initiatives to adapt and pivot business models to improve customer centricity, increase enterprise speed and agility, and accelerate workforce transformation. These strategic initiatives are essential for an organization to improve competitive advantage and customer experience. We recommend members of the IT security team have a seat at the table for every project to ensure security is not an afterthought and is thoughtfully integrated as part of the planning process. As noted previously, the risk is real and threat actors will not stop searching for vulnerabilities they can exploit to compromise an organization.

Zero Trust

Organizations need to implement effective information security and resiliency practices for zero trust to be effective. In a Zero Trust model, these protections involve minimizing access to resources to only those who are validated as needing access and continuously authenticating the identity and security posture of each access request. Implementing multi-factor authentication is a logical step to increasing identity security and serves as a cornerstone to a zero trust framework.

Trust is truly a differentiator in today’s business world and a critical ingredient in the relationship between an organization and its users. The ability for your business to confidently grant access to the right users at the right time without unnecessary friction is paramount to the operations of the business, the retention of customers, and the overall growth of the business. SecureAuth identity security featuring multiple MFA options is the access management solution to help you gain that trust.

NIST Best Practices

Many are very familiar with the National Institute of Standards and Technology (NIST) and have more than likely utilized their recommendations to accelerate cybersecurity programs. For those unaware, NIST is a physical sciences laboratory and a non-regulatory agency of the United States Department of Commerce founded in 1901. Their mission is to promote innovation and industrial competitiveness.

NIST created the Framework for Improving Critical Infrastructure Cybersecurity to enable organizations – regardless of size, degree of cybersecurity risk, or cybersecurity sophistication – to apply the principles and best practices of risk management to improve the security and resilience of critical infrastructure. The Framework includes five functional areas to organize cybersecurity activities at their highest level:

1) Identify, 2) Protect, 3) Detect, 4) Respond, 5) Recover

NIST addresses Multi-factor Authentication within the “Protect” section of their Framework for Improving Critical Infrastructure Cybersecurity publication. MFA appears in the Identity Management, Authentication and Access Control section – and specifically in sub-category PRAC-7. PRAC-7 states: Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks).

We include this brief section about NIST because SecureAuth firmly believes in the Framework and advises as a best practice for organizations to utilize Multi-factor Authentication to deliver a secure and resilient infrastructure.

Learn more about the Framework: https://www.nist.gov/cyberframework

Types of Authentication factors

Consider your overall security posture and assess if your access management capabilities map to your strategic initiatives and business objectives. Is the user experience creating challenges that impact your objectives? Can the security team create workflows specific to users and resources? Will your current solution support your needs in 3-5 years from now?

Identity security is not a set it and for get it proposition. The security landscape is constantly changing and new users, apps and systems will always lie ahead. Our team of experts can help you assess your current-state and provide guidance and recommendations based on your desired future-state. If you are just getting started with your access management program or looking to sharpen the functionality and capabilities of your existing environment, SecureAuth is here to help.

Contact SecureAuth to learn more and understand ”the possible” for your organization related to Identity Security, Multi-factor Authentication, Adaptive Authentication, Passwordless, and Continuous Authentication.


Appendix

How MFA Protects You

Common cyber-attacks utilized by bad actors to acquire basic username + password information:

Phishing

Often disguised as a trusted organization, the attacker delivers a message to a list of phone numbers or email addresses, usually with a call to action which requires login information and a fake website where the user is expected to provide that information

Spear Phishing

This is similar to phishing, but it is targeted at a specific group of people using personalized messages. Hackers may glean information from social media accounts or other sources to personalize these messages and make them appear more trustworthy.

Credential Stuffing

The attacker relies on the user repeating usernames and passwords to log into their applications and sites. They attempt to use one set of stolen credentials to gain access to additional sites and programs.

Brute Force and Counter Brute Force Attack

The attacker uses software to rapidly test a variety of common credentials (e.g., Password123) in an attempt to gain access to sites and applications.

Keystroke Logging

The attacker installs a program (usually a virus) that captures keystrokes from the user’s computer, including passwords, sites visited, and usernames.

Man-in-the-Middle Attacks

The attacker accesses a user’s connection to another party, then either observe the interaction or redirects the connection to a fake site where the user will enter their login information.

A key that makes MFA highly effective is requiring information that hackers are not likely to have in their possession. They may be able to steal your password and login information, but it’s not as likely that they’ll have access to your phone, and it’s nearly impossible for them to obtain your fingerprint.

NIST Cybersecurity Framework

NIST defines Authentication in this way: Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system.

Below is an outline of the Cybersecurity Framework by NIST.

About SecureAuth

SecureAuth is an identity security company that enables the most secure and flexible authentication experience for employees, partners and customers. Delivered as a service and deployed across cloud, hybrid and on-premises environments, SecureAuth manages and protects access to applications, systems and data at scale, anywhere in the world. The company provides the tools to build identity security into new and existing applications and workflows without impacting user experience or engagement, resulting in increased productivity and reduced risk.

SecureAuth brings together multi-factor authentication, risk-based adaptive authentication, single sign-on and user self-service in a highly flexible, standards based SaaS service. With SecureAuth, you can deliver a unified and low-friction user experience that provides strong access control for all your user identities. We enable the ability to customize each authentication experience to the exact right combination of security and usability, so you can effectively meet the requirements of each of your use cases. Flexible deployment options mean you can build secure access for your business, your way. Improve business delivery and gain a competitive advantage with the SecureAuth access management.

Request a Demo

Complete the form below to request a personalized demo of SecureAuth’s Multi-Factor Authentication solution