Why risk everything on someone’s poor password habits? Multi-Factor Authentication (MFA) is quickly becoming the new norm for verifying people are who they say they are before granting access to digital assets.
Yet there remains a certain reluctance to implement MFA on account of its supposed detrimental impact on the user experience. But MFA has come a long way from its clunky beginnings two decades ago – making it easy for everyone except attackers.
Easy to use
When people think of MFA, they usually think of the authentication system in its most extreme form – requiring a combination of disconnected physical tokens, location-based factors or USB keys which must always be carried on your person. Some of these more-severe MFA systems are designed to be difficult so that organizations can be sure, without a doubt, that users requesting access are who they say they are. While these factors are still used at organizations requiring more robust security protocols for their digital access points, today there are frictionless factors available for a streamlined user experience.
An organizational portal, for example, designed to grant access to sensitive communications, can be set up to require as password for a first factor and a Time-Based One-Time Password (TOTP) – a single-use, soft-token and time-stamped random code – issued from a third-party SaaS app installed on the user’s mobile device as a second factor before access is granted. With the app-issued TOTP, an additional authenticating factor is added with little change to the user experience.
Hard to compromise
A password is only as strong as it is complex – and even the most complex password can be cracked. But people are notorious for choosing weak passwords, reusing old ones, and even using the same passwords for multiple points of access regardless of sensitivity. According to Verizon, 81 per cent of breaches in 2017 were due to weak or stolen passwords. By asking for additional factors of authentication, MFA ensures that even if a weak password is compromised, access is still denied.
In this way, MFA also acts as an effective deterrent to malicious actors. Consider, for example, that half a per cent of Azure Active Directory accounts used by Office 365 are compromised every month – that amounts to a yearly total of 600 compromised users at an enterprise composed of 10,000 accounts. Gartner says an organization which adopts MFA can see a figure like this drop 50 per cent by the end of 2020.
Works well with others: the case of Maersk
Large enterprises undergoing digital transformations are investing in cloud-based SaaS providers to help them bridge gaps in their massive tech stacks. Take Maersk of Denmark, for example, the world’s largest shipping empire, who’s ‘cloud-first’ policy means they outsource tasks and services which are not directly tied in with their product.
Rasmus Hald, Head of Cloud Center of Excellence at A. P. Moller – Maersk, told Computer Weekly, “Why in the world would I run an email system in the year 2019? You might have constraints, like legal requirements [that stop you], but if you don’t, why would you have the hassle of running an email service when you can buy great services off the Internet that probably give you a better service than you would every be able to provide yourself? [Our philosophy at Maersk is to] buy other people’s software as a service and then focus our efforts on building great software for our users, [and] for our customers.”
But with more third-party connections come more opportunities for malicious agents to gain access to organizational networks. This is what makes MFA such an important feature to look for when choosing a SaaS partnership. If MFA mechanisms are in-place, then a higher degree of security can help mitigate any authorization vulnerabilities outweighing the benefits of the service provided.
Digital transformations enable organizations to be available anywhere and anytime to better serve customer bases across the planet. For an organizational leader, this customer-centric digital world is good for business. But for someone in charge of internal organizational IT infrastructure, a fully digital connected cloud-based environment, where sensitive data is flowing, SaaS providers are plugged in and users are mobile, can be a nightmare without help – especially for sensitive processes like authentication.
MFA can help an organization prepare itself for perimeterless cybersecurity postures in a zero-trust world – where every user needs to be vetted before access is granted. Gartner says, as digital organizations continue their digital transformations, they are going to begin relying less on traditional digital security tools, like VPNs, firewalls and hardware, and focus more budget on securing users outside their digital environment. With its ability to authenticate users more accurately according to various digital factors, MFA is going to play an important role in perimeterless security solutions.
By Alex Loo, VP Operations at Echoworx