Three questions to ask when setting up MFA

Today’s columnist, Kimberly Biddings of BIO-key International, points out that Verizon’s DBIR found that 81% of hacking-related breaches resulted from breaking a password – and that’s why security teams have to focus more on MFA. (Photo by Andrew Burton/Getty Images)

Setting up multi-factor authentication (MFA) has become the gold standard for authentication and access security. Estimates find that organizations can prevent 90% of cyberattacks by implementing a strong MFA strategy. However, not all authentication methods used in that strategy are created equal. There are a variety of different options out there and it’s important to ask the right questions to ensure a streamlined and secure process of access for all users. Here are three questions to ask:

What level of security does the organization have ?

There’s no one size fits all solution for securing data. While a single password might suffice for accessing a Facebook account, we need a stronger method to secure banking information. The more sensitive the data, the more critical the system, the more stringent the process of authentication we need.

In broad terms there are three methods for authentication: something you know (like a password), something you have (a device), or something you are (a biometric). Passwords have remained the most common way to authenticate a user across the internet in spite of their obvious security flaws. The Verizon Data Breach Investigations Report found that 81% of hacking-related breaches stem from breaking a password. From having weak passwords, to phishing exercises, to password breaking programs, passwords are one of the easiest ways for hackers to gain illicit access. Physical methods like hardware tokens or device authentication are harder to hack, but users can lose or misplace them. Biometric measurements are the most secure way of identifying an individual as the physiological measurements used cannot be shared, stolen or lost. But biometrics also come in different forms.

Important differentiators in different styles of biometric authentication are where the biometric data gets enrolled and who has the power of enrollment. Apple’s Touch ID has become one of the more common biometric methods in use today. In this system, the owner of the device can enroll their own biometric, which gets stored locally on the device, and then has the option to enroll other users on the same device. While this works well for protecting personal data on the device, it’s not the most secure way for an organization to protect its data being accessed using that device. With enrollment based on the device, and the biometric data held on the device there’s no way for an organization to distinguish between the device and the person using it. If another user  enrolls on the device, the organization still just sees the authenticated device, rather than who actually gains access.

Centralized or Identity-Bound Biometric (IBB) methods tackle this issue by storing the biometric templates with the organization. This allows the organization to guarantee the identity of the person accessing the system by comparing their biometric scan to the template on file, thus authenticating a person rather than a device. It’s no longer an option to enroll unknown parties, eliminating the chance that a threat actor has found a way to enroll themselves or a malicious insider has enrolled additional people onto an authenticated device.

Is the MFA solution easy for people to use?

Always consider the user experience. Passwords are easily forgotten, and many of us are guilty of using the same password across multiple platforms for convenience sake, lessening the effectiveness of the password as a security control. Also, authentication happens across a high variety of different situations in which some users may not have access to cell phones or may find it challenging to keep track of hardware tokens. Understanding all the different situations in which users are being authenticated gives an idea of what methods they can use. For example, many MFA methods require a device like a smartphone, which is not a viable option for many users.

One-time passwords (OTP) will send a text message with a single-use-code to a user, but these will only work if the user is in cell range and has their phone with them. Phone-based methods are especially a concern in mobile-restricted environments, such as a manufacturing production floor or a bank branch, where access to smartphones can be limited by safety or security concerns. Having a diverse set of options available in an MFA system will guarantee more flexibility and a greater ability to authenticate users in unique situations.

Biometrics represent a unique addition to MFA where convenience does not get sacrificed for security. Utilizing biometrics means a user doesn’t need to remember a password or device and represents an authentication method that they can’t share, stolen or lost. At the same time there’s increasing evidence that users are more inclined to use biometrics with VISA reporting that 86% of consumers are interested in using biometrics to identify themselves or make payments.

What does the MFA solution cost?

While security and convenience are arguably the most important considerations when establishing MFA, no organization can overlook the cost. It’s cheap to set up passwords, but finding the next piece of the MFA puzzle presents greater cost considerations. Phone-based methods like OTPs sent to a cell phone are low in cost as well, however employers may want to consider the cost of asking people to use their own devices for work related tasks. At least 10 states have enacted laws that require organizations to pay for any necessary expenses incurred by employees while on the job. In some cases this means covering the cost of cell phones if they are essential to accessing data through OTPs.

But the cost of cell phone-based methods will always pale in comparison to the cost of hardware tokens. The security teams needs to order tokens, that are sent to each user, and then kept track of by the organization creating both greater cost for the devices themselves ($25-$100+ per device) and the cost of overhead implementing, maintaining, and tracking the devices. This makes hardware tokens not only the a very costly MFA option, but also the one that takes the longest to implement, as creating an infrastructure to support them takes time.

Biometric options also benefit from flexibility. Companies can use IBB from a device like a cell phone similar to OTPs, or by using devices like fingerprint scanners installed on points of access which security teams don’t have to mailed out to users or kept track of like hardware tokens. It’s also critical to have a variety of different options for biometric methods as companies look to balance their cost, security, and convenience across all authentication workflows and in some cases the only option when all other methods are unable to be used. An MFA strategy without biometrics is incomplete.

As the world becomes more digital, understanding how to create a secure and convenient environment for access has become top-of-mind. Asking how to best secure data in a flexible enough way to work across a wide variety of use cases will set an organization up best for success. MFA continues as most common and effective way to secure data, but there’s no one answer for how to establish each factor for authentication. Before implementing a new system, it’s worth taking the time to think through the user’s experience and understand the implications of each of the arrows in the MFA quiver.

Kimberly Biddings, vice president of product, BIO-key International

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.