The Growing Need for Multifactor Authentication
By Waqas Akkawi, Chief Information Security Officer, SIRVA Worldwide
Corporate security isn’t getting better fast enough, and critical infrastructure security hangs in the balance, while hackers from around the world are becoming stronger and more sophisticated. It’s already proven that passwords are the weakest link in security architecture. The key is multi-factor authentication (MFA) that adds a layer of security to protect against data breach. While using MFA, users provide extra information or factors when they access corporate applications, networks, and servers.
1. What are some of the biggest trends and changes happening in the multifactor authentication solutions arena?
MFA is a great control method implemented to reduce the risk of unauthorized access to critical intellectual property and personally identifiable information. It gained traction because cyber threats such as phishing attacks and credential thefts became more common. However, I do not see a lot of organizations having a better response to MFA.
"All organizations will need to go passwordless and I could see that happening in the next three years"
MFA can be best explained by how the bank systems are using it. These advanced systems are capable to prove an individual’s identity and authenticity by detecting location. It also uses a digital forensic fingerprint to identify the user device, browser, regularly accessed network and location. If an unusual login is detected, it invokes a challenge response authentication approach—a family of protocols wherein one party presents a question and another party must provide a valid answer to successfully authenticate. It protects unauthorized access to the banking website. Just in case, your login credentials are stolen and someone else tries to access your information, the system identifies that you just logged in from Chicago instead of New York. This invokes a challenge for the authentication.
Technology changes tremendously and probably the next level of authentication would be physical biometrics. But if it fails, you still have to use some other kind of authentication like passwords.
2. Please explain about the different functionalities and approaches of MFA.
Depending on the risk profile of an organization, we could implement solutions that are really robust and have a more supporting architecture. The cost of the control to be implemented has to match the business objective for the organization so that it does not exceed the businesses tolerance spends. An example is Microsoft products that come with paid MFA in-built in their suite of business and enterprise level agreements.
MFA has conditions of access applied, which means you would challenge the authentication if any of the given conditions are not met. For instance, if I go to Starbucks and login to the network from my laptop for the first time, the system instantly identifies the new location and MFA will be initiated. Next time, if I go to the same stall and use a different laptop to login, the system identifies the connection coming from a trusted location but a different machine, invoking the login challenge. This happens to prevent from someone else eavesdropping the credentials and access from their laptop. MFA is easy to be implemented in businesses as you are not authenticating always. Moreover, it’s a better way of increasing productivity and enhancing the security posture.
3. What are your suggestions to organizations to ensure their vision would turn into reality?
All organizations will need to go passwordless and I could see that happening in the next three years. A password is tough to manage. For instance, you would be always authenticated because of your identity. So that way, you don’t have to enter a password.
4. What are your personal traits or hobbies that helped you grow as a cybersecurity expert?
Being a highly engaging leader I always ensure to work with different employee levels within the organization to discuss the challenges they are facing in enabling successful business operations. If there is a security control inhibiting the progress, I would evaluate the controls to identify incompatibilities.
I always keep engaged in a strategic partnership with the technology industry. Moreover, my passion for problem-solving drives me to figure the best way to approach a subject, and have an open mind to different solutions for the best results.
5. What do you predict of the MFA industry in the long run?
I foresee the evolution of a passwordless ecosystem. Future authentication will depend on token software, hardware, the identity of the person, and intelligent systems. Universal authentication frameworks will enable users to experience universal second-factor authentication feature.
Many of the existing techniques can be combined with biometrics methods. However, all these technologies have to mature as machine learning could really take on somebody’s identity like what we saw in Barak Obama’s case. They digitized his face, voice and were able to make him say things like an exact clone of Barak Obama.
Cybersecurity and its continuous innovation add a virtual value to enable businesses to transform safely. Multifactor authentication, next generation of safe authentication using multiple techniques is another virtual value that cybersecurity is providing to businesses to succeed.