The continuous growth in the number of connected devices within enterprise environments is driving the adoption of Multi-factor Authentication (MFA (News - Alert)), well beyond the limited Two Factor Authentication (2FA), which has been in place for over two decades. MFA has taken off in the last several years and has matured into a “must have” with an increasing amount of options or “factors” including biometrics, geofencing and more.
Companies are developing more user-friendly, and at the same time more secure, authentication solutions for users, with rules-based policy-driven systems, enabling IT teams to assign many different levels of authentication, depending on the sensitivity of the data, applications, networks and services in play, and more and more management of this diverse landscape is cloud-friendly and even cloud-native.
Authentication remains a fundamental safeguard against illegitimate access to enterprise assets, be they digital or physical. Today, MFA is expected to be utilized in scenarios where security and safety requirements are higher than usual and has become a key element in quality Privileged Access Management (PAM) programs.
Multiple factors have been proven to dramatically improve identity proofing by pairing the knowledge factor with, for example, a biometric factor, making it much more difficult for a criminal to access a system while pretending to be another person. To date, fingerprints have been the most widely integrated biometric interfaces, and have become common even among consumers, as nearly every major smartphone developer now includes this as an option.
It is in the enterprise environment that MFA innovation is flourishing, and with so many digital transformations underway, including the deployment of IoT sensor-based networks, and the automation of those systems (including mission critical physical security systems), more and more investment is going into ensuring the protection of corporate assets, both physical and digital.
Layers, or factors, include passwords, PIN codes, physical tokens, smartcards, smartphones, wearable devices, voice biometrics, facial recognition, ocular-based, hand geometry, fingerprint scanning and even vein recognition at the more granular level.
Geographical location and geofencing are becoming increasingly popular, as is “time of day” access, and other behavioral metrics. And while the industry is hesitant to take on DNA recognition, given so many ethical issues, there is active research underway in this domain (for especially sensitive applications, for example military or other government officials).
With all this innovation and diversity, managing MFA options has been creating operational challenges. We caught up with Ali Gomulu, SecOps, Ironsphere, a global enterprise Privileged Access Management software company, to find out what organizations can do to “manage the back end.”
“The integration of new and stronger security solutions has always been a major challenge for developers, managers and end users,” Ali Gomulu said. “Automation is key, as it can help with user acceptance and administrator productivity. Both are critical aspects when it comes to the successful adoption of strong identity and multi-factor authentication programs.”
Gomulu explained that a balance must be meet when looking across the board, at productivity (task efficiency for all involved), effectiveness (are the steps working to protect assets?), and user experience (which authentication schemes are most easily learned and fast enough to use, so that end users are not motivated to find work-arounds?).
“The properties of the authentication device play a major role in this process,” Gomulu said. “Today, most of the online authentication services are knowledge-based and depend on the username and password combination, while more complex systems require the user to interact with additional tokens, like one-time passwords, code generators, SMS to smartphones, and so forth. These traditional methods are complemented by biometrics which, when done well, are easier for users and less likely to be compromised. It is the storage of all the data associated with every user profile and the quality management of a rules-based policy that is winning, based on the many implementations we have in place. With the right management and automation tools, there can be many levels of authentication and, as long as data architecture and system components are sound, it doesn’t matter which combinations IT leaders choose.”
Ironsphere’s MFA Manager unifies additional layers of security for authentication and user identity verification, integrating mobile device, geolocation, and time, and is part of a range of PAM solutions.
“Even if an employee account is stolen, it is still not possible to access the enterprise’s critical assets/resources, unless the employee’s account and mobile phone are stolen simultaneously.” Ali Gomulu said. “MFA introduces another level to security defense. Even if the password is weak or non-expired, it is exponentially more secure with MFA token verification. With automation, accounts can be immediately locked when an employee leaves, for example.”
When asked if passwordless systems will succeed, Gomulu said, “MFA is a step in the right direction and is a big part of the future of comprehensive enterprise PAM programs, but in our experience working with organizations for years, passwords are likely here to stay, since substituting current knowledge factors, with little or no input from the customer, does not feel comfortable. If biometrics becomes more scalable, more sophisticated, more affordable and so forth, it may replace usernames and passwords completely, but we don’t see that in the near term.”
Ali Gomulu believes MFA will steadily evolve over the next few years and that, with the accessibility of smartphones and wearable, MFA deployment will change. “Nothing will succeed, however, without a unified system to manage all of this, including one that scales technically and economically as organizations become more connected,” Gomulu concluded.