Quarterly insights: Cybersecurity

Authentication tech: Secure or user friendly? Increasingly both

Authentication tech: Secure or user friendly? Increasingly both

The weakness of password-only authentication for access to protected data is well known. Multifactor authentication (MFA) is a long-established way to address this weakness, but it wasn’t practical to deploy widely until the advent of cell phones and SMS for delivering second authentication factors. With nearly everyone owning a mobile phone today, MFA has become a familiar, regular, and highly trusted experience for most internet users.

As MFA has become more prevalent, bad actors have directed their attention to defeating it and have developed relatively simple ways to compromise basic MFA. Organizations can respond by implementing enhancements that cost more and require more user effort, but there’s no one-size-fits-all solution. The key is finding the right balance between the value of the data being protected and the cost and user effort associated with different security levels.

We discuss the evolution of MFA, its vulnerabilities, and some of the ways basic MFA can be enhanced to address those vulnerabilities. We also provide a brief survey of prominent MFA solution providers.

TABLE OF CONTENTS

Includes discussion of CYBR, MSFT, OKTA, OSPN and two private companies

  • Beyond the simple password
  • Digital MFA defined and brief history
  • Basic MFA can be defeated
  • Finding the right balance between MFA security level, risk, and resources
  • No rest for the MFA fatigued
  • Cybersecurity index ends near lowest level in a year
  • Cybersecurity M&A: Notable transactions include ForgeRock, Cider Security
  • Cybersecurity private placements: Noteworthy transactions include Snyk, NetSPI

Beyond the simple password

Most everyone is aware of the ease of using simple usernames and passwords to access accounts on computers and phones and the attraction of using the same ones everywhere and having them remembered by all their devices for all their accounts. Most everyone is also aware of the risks of doing so. Of course, account administrators try to reduce these risks by demanding users regularly change and use ever more complex and unique passwords, much to the frustration of users. In the face of these challenges, digital multifactor authentication (MFA) has seen increased adoption because it provides a path to the holy grail of authentication – better security and ease of use. But MFA is not a silver bullet. Bad actors have developed novel attack techniques to compromise MFA. Ultimately, the increasing complexity of securely authenticating online access means there’s no one-size-fits-all solution. Rather, it’s more important than ever to use thoughtful approaches that take into account dynamic risk measures as well as the IT sophistication and capabilities an organization can bring to bear on its authentication needs. Thankfully, there are solutions that cater to all types of profiles, and the range of solutions is increasing with innovative offerings that enhance basic MFA. We think this innovation will spur increased spending in the category.

Digital MFA defined and brief history

Digital multifactor authentication uses two or more methods to authenticate identities of people (or in some cases computers) seeking access to protected data. Two-factor authentication (2FA) uses two methods. Relative to using single factors – particularly static usernames and passwords – authenticating identity through multiple steps reduces the likelihood of bad actors gaining access to sensitive information. Often, MFA uses usernames and passwords as one factor and one of several other factors as the second. The other factors generally fit in one of three categories:

  • Something users know, such as PINs and answers to questions only authorized users would know
  • Something users have, such as digital tokens users carry and one-time passwords provided by users’ smartphone apps and smartcards
  • Something users are, which means biometrics such as fingerprints, facial images, retinal scans, phone behavior patterns, and voice patterns

In the 1980s, MFA technology usually used cards or fobs, like RSA’s SecureID tokens, that generated time-synchronous randomized codes as a second authentication factor. While this was generally effective at protecting assets, users found it cumbersome to carry a dedicated device for authentication. Employees frequently misplaced or lost their devices and then had to contact support staff to get access to their protected information. The difficulty only compounded for users who needed to carry multiple tokens for unrelated accounts.

Cell phones came to the rescue in the late 1990s with the advent of MFA solutions that sent second authentication factors as short-message-service (SMS) codes to users on a device they seldom lost and used constantly in their daily lives. As phones became more sophisticated and evolved into smartphones, it became feasible to use them for authentication protocols beyond SMS codes. With these changes, MFA became a daily experience for almost everyone using the internet, marking the advent of universally accessible authentication that was both relatively secure and user friendly.

Qi Cybersecurity Cover Jan 2023

Request full report