It's time to find an alternative to multi-factor authentication
François Amigorena, CEO, IS Decisions
There's no doubt that multifactor authentication is a strong way to protect your data — and the more factors you need to use to authenticate yourself, the stronger that protection becomes.
Security experts have heralded multi-factor authentication as the answer to concerns around passwords, which cybercriminals can all too easily compromise through social engineering or phishing. When you combine a password, which is something you know, with biometrics, security tokens or SMS, which is something you own, you stand a better chance of keeping cybercriminals out. A bit like having two front doors in front of each other — if a crook gets their hands on a key for one of the doors, the remaining door will still keep them out.
But despite its reverence, multi-factor authentication is not without its flaws. As technology and cybercriminal techniques evolve, individual factors of authentication can become easier to crack, therefore rendering the protection weaker. For example, if you're using SMS as a factor, criminals can now all too easily deceive cellphone shops into transferring someone's phone number to a different phone. For that reason, the National Institute of Standards and Technology (NIST) recently stated that if organizations are to remain FISMA compliant, they are not to use SMS as part of the process.
The real flaw in multi-factor authentication, though, is in how the technology affects the rest of your business. IS Decisions research has found that nearly half of US organizations do not use multi-factor authentication to protect against compromised credentials citing ‘infrastructure complexity' (28%) and ‘time needed to manage and oversee' (18%) as two of the biggest barriers to adoption.
Let's start with infrastructure complexity. When you're operating a large business with security processes in place that are already quite complex, introducing a new procedure to the mix can often be disruptive and cumbersome. There's lots to consider in terms of how the technology will work alongside existing processes, where you need it most, how many factors of authentication are suitable, and how to get users on board with the changes.
Time is also another issue — not just in terms of implementation. IT administrators have enough on their plate already without having to deal with users who have lost their security tokens or Google Authenticator-enabled smartphones.
The flaws don't stop at implementation and management. Using the technology itself is becoming more of an issues as firms look to increase employee productivity. The same IS Decisions research found that each employee loses 21.88 minutes every week because of complex IT security procedures, which equates to 3.8 days a week or 182 days a year for a firm of 250 employees. Even smaller businesses of say 30 people suffer lose productivity to the extent of 21.9 days a year.
While many could argue that employees waste more time going to the toilet or making coffee, the productivity issue becomes a real problem in industries where fast access to data is key to success. For example, in healthcare, the last thing you need is for a doctor or nurse to be held back by security when they're accessing a patient's health records at a time when speed is of the essence. Fast access in these scenarios can often be the difference between life and death.
Obviously, organizations cannot afford to grant fast access at the expense of security — otherwise what's the point of security? But traditionally, if you wanted to improve security, you'd have to force users to jump through more hoops to prove their identity, thereby slowing down access time. One aspect comes at the expense of the other. So how can you possibly grant fast access yet maintain high levels of authentication security?
Over the years we've all been programmed to think of access security in terms of passwords, pin codes and keys — much in the same way we gain access to our homes. But with context-aware security, your system can take advantage of supplemental information to decide whether access is genuine or not at the exact moment when someone attempts to connect. Using rules that are based on this supplemental information and set by the IT department, the system can automatically grant or deny access.
For example, you can set rules restricting an individual's network access to certain workstations located in particular departments on your office premises. Or you could set up rules restricting access to certain connection types (IIS, Wi-Fi, VPN) so employees can continue to work on the go, or even restrict access to particular times of day, location or by a maximum number of concurrent sessions. Restricting access in this way means that even if a cybercriminal gets their hands on an employee's password, they still won't be able to get access, meaning sensitive data remains safe. Any attempt to access those folders outside of these rules can also send a notification to administrators immediately who can investigate and modify access rules with a single click.
Crucially, this form of transparent access security doesn't impede the end user like multi-factor authentication does, and can complement any existing security technology you've already got in place. Therefore, you no longer need to think in terms of striking a balance between security and productivity. The two can now go hand in hand.
A report on the frustrations that IT managers face with multi-factor authentication and how complex security affects productivity can be found here.