Getting Over MFA Implementation Hesitation

July 15, 2019 Vishnu Kant Varma

We talk a lot about how multi-factor authentication (MFA) is a vital tool in a Zero Trust approach, the most promising strategy to keep an organization safe from breaches.  We may even take it for granted that our audiences know exactly what we’re talking about with MFA and why it is so important. In the industry analysis section of the recent 2019 Verizon Data Breach Investigation Report, MFA was recommended as a “thing to consider” to four different industries, including finance and insurance. It is surprising that in 2019 this seemingly standard tool for security should even have to be recommended to industries. What is behind any hesitation to implement MFA, and how can enterprises overcome this reluctance?

Anyone who travels can relate to the desire to arrive at the airport, pass quickly through security, settle into your seat, and take off into the air in, say, 15 minutes. But the reality is all travelers must go through security checks, and this can take time. And while travelers do indeed complain about TSA regularly, no one wants to have an incident once on board. There is always a fine balance between user experience in accessing something and also delivering security.

We hear from analysts and customers that MFA and delivering a solid user experience are at odds with each other. Traditionally, as security moved towards the implementation of strong authentication, it could compromise user experience. Enterprises naturally don’t want to frustrate their users or encourage them to create work-arounds. A B2C company might wonder, “will MFA reduce traffic to the website?” These are legitimate concerns.

With an adaptive MFA solution, like CyberArk Idaptive’s security is strengthened with context and behavior-based access controls to all applications. Analytics and machine learning are leveraged to detect abnormal and risky user behavior while prompting an MFA challenge or blocking access in real-time. When a user signs in from her usual device, into her typical apps, in her typical geolocation, she won’t have to be prompted with MFA. Think of it as having ‘TSA Pre-Check’ on her airline ticket, speeding up her airport security process but at the same time continuously monitoring her actions (Behavioral Analytics) so that she can be asked to undergo security screening if any anomaly is detected. This delivers a good user experience without compromising security.

Another reason behind any hesitation for MFA could be the perceived cost of managing those second factors. A decade ago, smartphones were just starting to mature. For authentication, people still used smart cards, USB keys plugged into devices, and SMS as one-time passwords. There were immense costs associated with managing many of these and their life cycles. For example, vendors like AT&T would charge for every SMS sent out. Even a rechargeable smart card would cost $50. Deploying measures like this to an entire organization would quickly rack up the expenses.

All of this changed in the last decade. Today, smartphones are ubiquitous — everyone has them. Bring your own device (BYOD) is very common, which means most individuals carry and manage their own phones for the organization. As a result, the cost of operating many second factors for multi-factor authentication has gone down, while also offering new possibilities for authentication methods such as authenticators for new standards such as WebAuthn/FIDO2.

Our adaptive MFA includes a comprehensive range of authentication methods, including passwords, smart cards, soft tokens, or cryptographic devices. It’s not enough to protect your organization — the experience for employees should be frictionless. Whether it’s a push notification, Integrated Windows Authentication, Idaptive mobile authenticator, SMS/text message, email, interactive phone call, YubiKeys, USB devices, digital certificates, enabling FIDO U2F, smart cards, or derived credentials or biometrics, we’ve got an authentication method for everyone, even the most hesitant of organizations.

We won’t go so far as to evoke that old saying, “you snooze, you lose” but hesitating to put an adaptive MFA solution to work protecting your employees and extended business could have a similar impact to a hijacker getting through security because there was no TSA agent.

Previous Article
NIST 800-63-B: Authentication and Lifecycle Management Guidelines
NIST 800-63-B: Authentication and Lifecycle Management Guidelines

Digital Authentication and Authentication Assurance Levels (AAL) NIST defines authentication as a “process ...

Next Article
NIST 800-63-A: Enrollment and Identity Proofing
NIST 800-63-A: Enrollment and Identity Proofing

A digital identity, as we discussed in our earlier blog, is a unique representation of the real-world indiv...

Check out our upcoming webinars!

See Webinars