SecureAuth Named a Leader in KuppingerCole Leadership Compass Report for Customer Identity and Access Management

Reduce Risk & Remove Friction

Traditional MFA Methods and Passwords are grounds for higher premiums and non-renewals

As 84% of breaches are credential-related, increasing attention has been paid to authentication, with traditional MFA being in the cross-hair as no longer being effective at thwarting attacks.

IT and security professionals are also aware of this MFA reckoning, as shown in a 2023 survey report.

Insurers are deciding that traditional MFA doesn’t reduce the risk exposure enough for them to offer favorable cyber insurance policies. 

84%
55%

55% of security and identity experts are not confident that traditional MFA is enough to thwart attacks

50%

50% of security practitioners are concerned they’ll lose insurance coverage if they continue with traditional MFA.

Why Adopt Passwordless Authentication?

Strengthened security. More coverage. Fewer exclusion policies.

Exceed cyber insurance compliance with passwordless continuous authentication based on FIDO2 standards.

Nine of the Top 10 cyber insurance agencies have passwordless recommendations or requirements so they can provide their customers with: 

  • The strongest coverage,  
  • The lowest premiums, and  
  • No insurance coverage exclusions written into contracts 

See example below of an insurance carrier protection package. Note that they consider passwordless authentication as baseline protection.   

Arculix is able to meet minimum, baseline, and best protection requirements with its passwordless continuous authentication product. 

 

Health insurance
“We deployed passwordless authentication technology to get a $100 million coverage package with no exclusionary policies. This was a huge for us as most plans include some sort of exclusionary clause.”

– Chief Compliance Officer, Healthcare Insurance Provider

Minimum Protection

Email Security

  • Email tagging
  • Email content and delivery – sender policy framework (SPF) checks
  • Office 365 add-ons and configuration

Backup and Recovery Policies

  • Back up key systems and databases

Internal Security

  • Deploy and maintain a well-configured and centrally managed antivirus solution
  • Macros: limit use
  • Patching cadence
  • Well-defined and rehearsed incident response process
  • Educate your users (phishing training, etc.)
  • Manage access effectively (i.e., MFA, privileged access)

Baseline Protection

Backup and Recovery Policies

  • Regular testing of backups
  • Disconnect backups from organization’s network
  • Separately stored, unique backup credentials

Internal Security

  • Establish a secure baseline configuration
  • Filter web browsing traffic
  • Use of protective DNS
  • End-point detection and response (EDR) tools
  • Passwordless Authentication

Best Protection

Backup and Recovery Policies

  • Encrypted backups

Internal Security

  • Comprehensive centralized log monitoring
  • Subscription to external threat intelligence services
  • Network segregation (i.e., via access control or well-configured firewall)

Traditional versus Invisible MFA

Know the differences in MFA approaches

New approaches to authentication are available to future-proof your business for cyber insurance compliance and beyond. Before you roll-out any MFA initiative, be sure it’s powered by a risk-based, continuous authentication platform to gain full context on user behavior throughout their digital journey including post authorization.  This is achieved with invisible MFA which is not only phishing-resistant, it provides frictionless user experience with a strong security posture.

In September 2023, our Federal Government, Energy and Financial Services customers are banned MFA methods like one-time passwords (OTPs), push to text, push to email, and personal identification numbers (PINs). The Reckoning is already a reality for these regulated industries.

CyberSecurity & Infrastructure
Not all forms of MFA are equally secure. Phishing-resistant MFA is the gold standard and organizations should make migrating to it a high priority effort.”

– CISA Fact Sheet on Implementing Phishing-Resistant MFA [October 2022]

Invisible MFA

  • Provides user context throughout the digital journey
  • Adds friction (i.e. prompts) only when risk appears
  • Leverages advanced MFA methods like behavior and passwordless

Tradtional MFA

  • Provides only point-in-time context, no control before authentication or post authorization
  • Adds an MFA prompt every time at authentication
  • Uses methods that are easy to hack / bomb
    (push to text / push to email)

Watch Cyber Insurance Video

Insights from Former CISA Compliance Expert

Watch this video to learn how phishing-resistant MFA, powered by a risk-based, passwordless continuous authentication platform can strengthen your enterprise security and help you attain cyber insurance compliance.

Rockitek Webinar
FIDO
“OTPs & PINs are easily exploitable with ‘MFA bombing,’ ‘man-in-the-middle,’ and other attacks. It is time for organizations to move beyond legacy forms of MFAs.”

Andrew Shikiar
Executive Director
FIDO Alliance

Cyber Insurance

Future-Proof Your Organization

MFA preparedness for cyber insurance

When applying for cyber insurance, applicants must fill out questionnaires about their existing security product stack. These questionnaires have grown lengthier and more technical over the last several years.

Here are some sample questions from underwriters, and some potential questions that could start cropping up as they require more robust forms of MFA. Will you be prepared?

MFA Questions Underwriters Are Asking Now

  • Do you enforce MFA for all admin users on your network?
  • Do you enforce MFA for ordinary users on your network?
  • Do you permit users remote access to web-based email?
  • If Yes, do you enforce MFA for access?
  • Do you permit ordinary users local admin rights to their devices (laptops)?
  • Do you provide your employees with password management software?

MFA Questions Underwriters May Soon Ask

  • Can you specify the MFA methods that you utilize? Are you using push to text and other non-secure methods?
  • Do you use real-time risk scoring to continually authenticate users and accounts?
  • Can you secure users post authorization?
  • Do you utilize device trust for a more comprehensive security approach?
  • What is your MFA adoption rate? Are you getting push-back from users due to MFA fatigue (i.e. too many prompts)?
  • Are you using MFA methods that bypass the use of passwords?

Why Choose Arculix for Cyber Insurance Compliance

Purpose-build for authentication security

To best stay ahead of the latest hacker attacks and exceed cyber compliance, you need a novel approach to MFA. One that is powered by a risk-based, continuous authentication platform that provides passwordless options, device, trust, and security controls throughout the digital journey including post authorization.

Arculix Demo
Risk Engine

Risk Engine

Authentication that goes beyond the binary

Get ultimate transparency on how risk is measured with our patented policy-based and AI/ML risk analyzers. The risk engine provides the most accurate, real-time risk scores (based on NIST standards).   

The behavioral modeling approach allows you to: 

  • Determine when to increase user friction based on the DLOA (Dynamic Level of Assurance)  
  • Provide security even post authorization, as risk is continuously checked throughout the user journey
Device Trust

Mobile. Desktop. Laptop. Server.

Get data from all devices to provide a comprehensive risk view to:

  • Streamline remote audit logs and control of user access.  
  • Stitch data together for an accurate trust chain and compliance processes.   
  • Detect threats across all endpoints.  
  • Consolidate authentication processes for Windows and macOS environments. 
Device Trust
Invisible MFA

Invisible MFA

Delight users. Strengthen security.

Arculix is the only product that combines and analyzes data from your mobile devices, workstations, and browser fingerprint to truly determine identity. This is the underlying next-gen technology that powers our invisible MFA approach.

It allows you to:

  • Eliminate MFA fatigue by reducing the number of prompts from all devices, apps, VDI, VPN and SSO. 
  • Strengthen security as fewer prompts result in fewer MFA bombing attacks. 
  • Increase MFA adoption as users will appreciate the frictionless experience  
  • Improve user experience by consolidating to a single passwordless solution 
eCommerce
“We enabled 95% of our workforce with Arculix’s invisible MFA & device trust. Its risk-based authentication approach provides a massive decrease in breaches.”

eCommerce Giant

Request a Demo

Complete the form below to request a personalized demo of Arculix Invisible MFA solution

Pin It on Pinterest