The Reckoning: Traditional MFA Not Enough for Cyber Insurance Compliance
Adopt a new approach to MFA to future proof your business
An MFA Reckoning is Coming
Traditional MFA Methods will soon be grounds for higher premiums and non-renewals.
As 84% of breaches are credential-related, increasing attention has been paid to authentication, with traditional MFA being in the cross-hair as no longer being effective at thwarting attack. IT and security professionals are also aware of this MFA reckoning, as shown in a 2023 survey report.
IT and security professionals are also aware of this MFA reckoning, as shown in a 2023 survey report.
50% of security practitioners are concerned they’ll lose insurance coverage if they continue with traditional MFA.
Traditional versus Invisible MFA
Know the differences in MFA approaches
New approaches to authentication are available to future-proof your business for cyber compliance and beyond. Before you roll-out any MFA initiative, be sure it’s powered by a risk-based, continuous platform to gain full context on user behavior throughout their digital journey including post authorization.
By September 2023, some of our Energy and Financial Services customers are will be taking a proactive stance by banning MFA methods like one-time passwords (OTPs), push to text, push to email, and personal identification numbers (PINs). The Reckoning is already a reality for these regulated industries.
“Not all forms of MFA are equally secure. Phishing-resistant MFA is the gold standard and organizations should make migrating to it a high priority effort.”
– CISA Fact Sheet on Implementing Phishing-Resistant MFA [October 2022]
Invisible MFA
- Provides user context throughout the digital journey
- Adds friction (i.e. prompts) only when risk appears
- Leverages advanced MFA methods like behavior and passwordless
Tradtional MFA
- Provides only point-in-time context, no control before authentication or post authorization
- Adds an MFA prompt every time at authentication
- Uses methods that are easy to hack / bomb
(push to text / push to email)
“OTPs & PINs are easily exploitable with ‘MFA bombing,’ ‘man-in-the-middle,’ and other attacks. It is time for organizations to move beyond legacy forms of MFAs.”
Andrew Shikiar
Executive Director
FIDO Alliance
Future-Proof Your Organization
MFA preparedness for cyber insurance
When applying for cyber insurance, applicants must fill out questionnaires about their existing security product stack. These questionnaires have grown lengthier and more technical over the last several years.
Here are some sample questions from underwriters, and some potential questions that could start cropping up as they require more robust forms of MFA. Will you be prepared?
MFA Questions Underwriters Are Asking Now
- Do you enforce MFA for all admin users on your network?
- Do you enforce MFA for ordinary users on your network?
- Do you permit users remote access to web-based email?
- If Yes, do you enforce MFA for access?
- Do you permit ordinary users local admin rights to their devices (laptops)?
- Do you provide your employees with password management software?
MFA Questions Underwriters May Soon Ask
- Can you specify the MFA methods that you utilize? Are you using push to text and other non-secure methods?
- Do you use real-time risk scoring to continually authenticate users and accounts?
- Can you secure users post authorization?
- Do you utilize device trust for a more comprehensive security approach?
- What is your MFA adoption rate? Are you getting push-back from users due to MFA fatigue (i.e. too many prompts)?
- Are you using MFA methods that bypass the use of passwords?
Why Choose Arculix for Cyber Insurance Compliance
Purpose-build for authentication security
To best stay ahead of the latest hacker attacks and exceed cyber compliance, you need a novel approach to MFA. One that is powered by a risk-based, continuous authentication platform that provides passwordless options, device, trust, and security controls throughout the digital journey including post authorization.
Risk Engine
Authentication that goes beyond the binary
Get ultimate transparency on how risk is measured with our patented policy-based and AI/ML risk analyzers. The risk engine provides the most accurate, real-time risk scores (based on NIST standards).
The behavioral modeling approach allows you to:
- Determine when to increase user friction based on the DLOA (Dynamic Level of Assurance)
- Provide security even post authorization, as risk is continuously checked throughout the user journey
Mobile. Desktop. Laptop. Server.
Get data from all devices to provide a comprehensive risk view to:
- Streamline remote audit logs and control of user access.
- Stitch data together for an accurate trust chain and compliance processes.
- Detect threats across all endpoints.
- Consolidate authentication processes for Windows and macOS environments.
Invisible MFA
Delight users. Strengthen security.
Arculix is the only product that combines and analyzes data from your mobile devices, workstations, and browser fingerprint to truly determine identity. This is the underlying next-gen technology that powers our invisible MFA approach.
It allows you to:
- Eliminate MFA fatigue by reducing the number of prompts from all devices, apps, VDI, VPN and SSO.
- Strengthen security as fewer prompts result in fewer MFA bombing attacks.
- Increase MFA adoption as users will appreciate the frictionless experience
- Improve user experience by consolidating to a single passwordless solution
“We enabled 95% of our workforce with Arculix’s invisible MFA & device trust. Its risk-based authentication approach provides a massive decrease in breaches.”
eCommerce Giant