Before we go into how Multi-factor authentication (MFA) has changed, let’s have a quick look at what MFA is.
With MFA, users must provide two or more “factors” of authentication when they access applications, networks and resources. MFA implementations use a combination of the following factors:
- Something you know: such as a username, password, PIN or the answer to a security question.
- Something you have: such as a smartphone, one-time pass token or smart card.
- Something you are: biometrics like your fingerprint, retina scans or voice recognition.
Now that we understand what MFA is, I'd like to point out that in today’s IT world, relying on a simple username and password authentication is not enough to protect your enterprise against the growing number of sophisticated cyberattacks. Implementing MFA for end users, privileged users, cloud and on-premises application, servers, database, VPN and any other resource spoils cyberattacks at ingress points across the entire attack surface and protects from breaches caused by compromised credentials.
That brings me to what most of us remember, or are still subject to -- having used a RSA Secure ID, a Symantec VIP or similar token. One of the major annoyances with those tokens is that if you don’t type in the code displayed fast enough your authentication will fail and you must start all over again. Or you don’t have it with you because you forgot it in the car, at home, at grandma’s house over Thanksgiving, or you lost it and didn’t notice because your IT department implemented it in such that you only need it once a month, or or or… We all have been there. Which begs the question, "Does it have to be that difficult? Isn’t there a better way doing this?" Well, in my opinion there is. I am going to assume that anyone, who has to provide some form of one time password (OTP) MFA when accessing applications or systems, has a mobile device of some sort -- most likely a phone that is running Android or iOS.Mobile push notifications, SMS-based approvals and more have all changed the way we can supply more than a username and password when authenticating. Let’s be honest with each other and assume that you are most likely not going to forget your cell phone, and if you do, you’ll most likely going to notice rather quickly.
The second, much bigger benefit is that with mobile push notifications for OTP MFA you do not need to type that pesky code anymore. You simply click a big green "Approve" button on that nice easy to read touchscreen and, "voila!" you are logged in. The end-user experience using mobile devices for MFA makes the adoption of elevated security standards for accessing applications and resources so easy now that one should wonder:
- Why isn’t everybody doing it? Is the cost of deploying a good reliable identity and access management (IAM) solutions that supports MFA via various means more expensive than getting breached? Well, the mean cost of a breach is running in the millions.
- Why don't I get rid of static passwords altogether and use OTP only all the time?
I mean the second point is a scary proposition for a lot of people because they argue “What if I lose my phone…” Well, if you lose your phone you cannot log in because of the missing MFA tools and the person who finds your phone cannot login either because:
- Your phone should be protected by a screen password
- You should disable and lock your phone rather quickly after you have discovered its loss
- What are the chances that the person who finds your phone knows your username (assuming you don't lock your phone, which you are suppose to do… just saying)?
The doubters will ask if mobile is secure enough to be used as a MFA token. Is it as secure as a dedicated token? If you have a IAM solution with built in mobile device management (MDM) that enables you to manage both corporate owned and BYO devices with sophisticated policies, you are in a much better position to deploy MFA to secure identities and resources because phones can be tracked, locked and wiped when lost. You are also in a better position because implementation will be a breeze and user adoption will be easy and welcome. So, yes I argue it is as secure, if not more secure, because mobile MFA is easy to use and people will actually adopt it welcomingly.
In conclusion, the point I am trying to make here is that like many of my friends and coworkers, I always have my phone with me. I am already using my phone as my wallet, my house key, my garage door opener and more. So why can’t I get rid of all my tokens and just use my phone as OTP token? Wouldn’t that be wonderful? Until we reach the point of abandoning usernames and passwords, I think it is time to protect all your end users, privileged users, applications, servers, networking devices, databases and resources with MFA.
Learn more about MFA with our ebook, Level up Your Security.