Corporate staff and consumers alike are likely to have experienced first-hand one or more waves of multi-factor authentication (MFA) deployment.
The first wave of MFA was driven by the adoption of Zero Trust in the work-from-anywhere era. With staff outside the office connecting to a range of cloud-based services via corporate and BYOD devices, there was an extra need to confirm the user trying to access these corporate resources was who they said they were.
More recently, a second wave of MFA adoption has occurred on the back of several high-profile cyber-attacks and data breaches in Australia. At least one of these attacks saw a legitimate set of credentials exploited in order to access and exfiltrate data. And a range of organisations initiated urgent security reviews in the wake of these attacks.
One of the action items was to confirm that existing MFA implementations across the end-to-end corporate environment are effective. Another was to fast-track MFA deployments in organisations that did not have the capability enabled to any great extent.
The short version of that is: not everyone has MFA – and even those that do may not yet have it right.
Where MFA is going wrong
Some organisations have put MFA on everything, albeit not in a user-friendly or user-centric way.
This is apparent in the number of MFA prompts and push notifications being generated and sent. We’ve seen first-hand a customer with over 240 MFA-enabled applications generating almost 40,000 prompts a day, where about 65 per cent were overkill and likely to be annoying users. This is not uncommon for organisations with a regional – Asia Pacific – presence. Small-to-mid-sized firms also proportionately face the same kinds of challenges.
The phenomenon of MFA fatigue is a real problem in these types of scenarios. Constant MFA push notifications and verification prompts are seen as an impediment to productivity. Users associate them – and security more generally – as an annoyance. They stop paying close attention and click through the prompts. Attackers have realised this and exploited MFA fatigue to damaging effect – last year’s Uber breach being a prime example.
It’s also clear from surveys that MFA implementations are falling short of the mark. A recent consumer survey found only 35 per cent of Australians would rate their login experience with online services as “very efficient”. Two-thirds were left underwhelmed. In addition, most understood the value proposition of MFA and wanted it in place for account and data protection, on the proviso that it did not interfere with convenience or the overall user experience.
With today’s consumer-led experiences driving demand for similar in the workplace, it’s likely that these results would play out in the enterprise space as well. Employees do not have a problem with MFA, as long as it does not create an inconvenience.
Putting MFA right
Increasingly, what sets businesses apart in their MFA implementations is a customer or employee-centric focus, and the way that it is enabled.
This human-centred ethos permeates a number of parts of organisations already. Technology teams use human-centred design (HCD) techniques when specifying new systems to improve take-up and adoption. The customer-facing parts of organisations, particularly those in heavily regulated sectors like banking and telecommunications, invest heavily in KYC – know your customer – processes, both for risk reduction and to personalise offerings.
Security – and particularly MFA – needs to be treated similarly. The way this is occurring is by layering risk-based authentication into an MFA system, which uses pre-programmed smarts to assess whether or not a user poses a threat and needs to be prompted to re-authenticate.
A good risk-based authentication engine is capable of collecting dozens of signals about users that can be used to identify them: whether they’re logging in from the device or network they always use, what application they want to access, and what their geographic location is.
Risk-based authentication learns the patterns of each user and scores the risk of user requests and actions. An MFA policy uses this risk score to decide whether to approve/challenge/deny the authentication and to determine what type of MFA should be used in different scenarios.
Organisations can set risk profiles according to their risk appetite. If person x uses a different device in the same physical location via a known network, this may be permissible without an MFA challenge. However, if the same person tries to use a new – unrecognised – device to access HR or payroll systems or data, the risk profile may dictate that an MFA challenge is triggered, to confirm the user is who they say they are, and that their access to these systems is justified.
As a user, this kind of system creates confidence. When I travel to a different country and log in from a different jurisdiction, I feel good knowing that the risk engine has identified a significant change in my pattern of behaviour and I’m being asked to MFA and re-log into all of my applications.
MFA remains the simplest thing organisations can do to enhance their security posture for employees and customers. By coupling MFA with a really good risk engine, organisations can limit fatigue and turn friction or frustration into meaningful protection from a broad range of cyber threats.
Keep up to date with our stories on LinkedIn, Twitter, Facebook and Instagram.
