Cybersecurity pundits have been proclaiming for years that the “password is dead,” and there’s an element of truth in that claim. Passwords remain one of the weakest points in any organization’s security posture. According to the 2019 Verizon Data Breach Investigations Report, 80 percent of hacking-related data breaches involve weak or compromised passwords, and 29 percent of all breaches involve stolen credentials.
The problem is that many users don’t follow password best practices. Employees often use weak passwords that are easy to crack via credential stuffing or dictionary attacks. Many use the same password for both personal and business applications, and fail to keep their credentials secure.
Increasingly, organizations are adopting multifactor authentication (MFA) to address these risks. MFA bolsters password protection by requiring one or more additional credentials to verify a user’s identity. The factors could include something you know (such as a PIN), something you have (such as a token) or something you are (such as a fingerprint). User location and time of day are also used as authentication factors.
While MFA can be beneficial, it’s critically important to take a strategic approach. Some organizations adopt or expand MFA without fully considering user requirements and appropriate use cases. This inevitably leads to IT constraints and increased support overhead.
For example, many enterprises are relying on employees’ mobile devices to enable MFA. The thinking goes that most people have their smartphones with them at all times, so one-time passwords or PINs can be sent to the device as a second authentication factor. However, considerations should be made for instances when the mobile device can’t be used. What if the device is lost or stolen? What if the user is in an area with spotty cellular coverage? What if the user is in a facility where smartphones are not allowed?
The availability of the MFA solution must also be considered. Many organizations are turning to cloud-based MFA services to eliminate the hardware, management and support costs associated with maintaining on-premises infrastructure. An enterprise-class MFA service will likely be highly available, but what if a user loses Internet connectivity? There needs to be some sort of manual override process so that productivity isn’t impacted.
MFA should also be implemented in the context of identity and access management (IAM). Organizations often deploy a standalone MFA solution and then move on to an IAM strategy. MFA then becomes a bolt-on to the IAM platform that may not necessarily fit. If organizations are considering MFA, IAM should be the starting point.
Finally, the MFA strategy should be flexible enough to adapt to various use cases. MFA is commonly used to secure VPN access and web-based single sign-on, but may need to be extended to desktops and laptops in a “zero trust” environment. Privileged accounts and remote desktop access may require three or even four authentication factors to ensure security.
With the right strategy in place, organizations can begin evaluating MFA solutions. Best-in-class solutions support a number of authentication methods, including Universal 2nd Factor (U2F) security tokens, mobile passcodes, SMS text and phone call back, and a variety of biometric scanners. Self-service options allow users to enroll themselves and manage their authentication devices. Some solutions even have automatic enrollment options that synchronize users from existing directories or IAM platforms.
Done right, MFA can strengthen password security and reduce the risk of a breach. Technologent can help you implement an effective IAM and MFA strategy to improve user authentication.
July 15, 2019