We can all agree that if you want to protect your organization’s data, you will need to enforce multi-factor authentication (MFA) for your users. But the challenge to balance, implement, and train users to manage MFA effectively is a burden many organizations would rather not face.
Remote employees, online users, and external partners further contribute to the challenge by providing new avenues for cyberattacks and account takeovers. This is especially true if the user’s authentication method is weak. While it is everyone’s responsibility to protect company data assets, organizations cannot count on everyone to perform this due diligence all the time.
This lack of due diligence begs the question, are there better ways to manage identity? The answer is yes and it is MFA. But which MFA is right for you?
Let’s review some of the multi-factors and how unique attributes can be used to boost digital identity security and help you decide which MFA solution is right for your organization.
Knowledge factors. Known as “something you know” is knowledge-based authentication and typically a memorized secret / password or an answer to a secret question. It is the simplest and most ubiquitous form of authentication.
Possession factors. Known as “something you have” is a registered hardware device such as a security token or a mobile phone with a piece of software that may receive or generate a unique number via SMS or with a synchronization.
Inherence factors. Known as “something you are” is used in biometric verification (i.e. Biological traits of the user). These factors include iris and retina scans, fingerprints, hand geometry, facial recognition, and forms of voice recognition.
In addition to these human specific factors there are several other factors that can be introduced at the time of authentication. These are helpful if not imperative for any non-human authentication like machine-to-machine logins. These factors contribute to an assessment of the authenticity of the login request but should never be the only deciding factor as they should prompt for additional credentials or step-up authentication such as location, time, and behavioral.
Location factors. Known less commonly as “somewhere you are” , the user is authenticating from a location and the system compares it to more common locations previously recorded to determine the authenticity of the login request. The location is typically detected using GPS or derived from the IP address of the machine or browser session.
Time factors. Known as “some time it is”, the current time either on the service or at the location of the login is assessed in reference to the location. For example, if a banking request is more commonly performed at 8 AM – 5 PM PST in New York, and then suddenly at 3 AM in Los Angeles, it’s flagged as suspicious because it doesn’t reflect previous access times.
Behavioral factors. Known as “some behavior we are used to” includes assessing behavioral tendencies unique to a user from previously recorded behavior such as typing speed, finger pressure on the keypad, voice intonation, and swiping and mouse patterns. Behavioral biometrics has been around for many years and is being advanced each year as it’s usually considered less intrusive and more secure than physical biometrics.
So, what is the right MFA solution for your organization?
The right MFA solution is the one that balances the security needs of the organization, has 100% user adoption, creates the least amount of friction, and costs less than the data it protects or a potential breach it prevents.
So how do you compare the MFA technologies against your needs and ensure this technology is future proof?
Choosing the right MFA is a matter of what makes the most sense for your business. If your IAM solution comes with an MFA service or “app”, constantly evaluate its ease of use and manageability. Balancing your user’s needs with your business risk will pay off in the long term.
MFA will also make your GRC Officer sleep a whole lot better when used correctly.