Getty Images/iStockphoto
MFA technology is rapidly evolving -- are mandates next?
The evolving landscapes of both the modern workplace and cyberthreats have paved the way for some organizations to require multifactor authentication protection. Will others join?
The rise in remote and hybrid work has led to an increase in the use in multifactor authentication in the workplace and consumer settings, leading some organizations to require the technology for certain users and accounts.
While various forms of multifactor authentication (MFA) have existed for decades, whether it be via online banking or just entering your zip code at a gas station, its use in enterprise networks has increased greatly over the last few years. Since the start of the pandemic, working remotely has become commonplace in nearly every sector.
New technologies are one of the greatest contributing factors to the need for MFA. Helen Patton, advisory CISO at Cisco and the former CISO of Ohio State University, described how the propagation of mobile devices has made authentication and identity management much more challenging.
"Over the last 20 years or so, it's become more and more problematic as more of our technology has become remote," Patton said. "If you went back to the early '90s, you had to use your corporate card to swipe into an office to get into the office to sit at a desk that was had a machine on it that was owned and managed by the organization. Because you were in the office on their device physically on their network. We said 'Yep, that's got to be Helen because it's too much of a pain in the butt to do otherwise.'"
Now, however, with many employees working from their homes or wherever they choose, it's even more important to be able to verify who is accessing what on a company network. In addition, cybercriminals have increasingly focused on obtaining employee credentials, either through phishing emails and other attacks or purchasing them on dark web marketplaces.
For example, there have been many instances where threat actors attempt to gain access through employee VPN credentials that they either purchase or steal. The increasing threats led President Joe Biden to sign an executive order requiring MFA for federal agencies last May. MFA adoption is also a frequent recommendation in advisories from infosec vendors as well as government bodies like the Cybersecurity and Infrastructure Security Agency.
Patton said the commoditized cyber threats, particularly with ransomware groups, coupled with the sharp increase in remote work, have put a premium on MFA. "The changing technology, the changing of the kind of threat actors we have to deal with, the change in the way we manage payments -- all of those things have led to us needing a better and more ubiquitous use of MFA," she said.
Aaron Goldsmid, vice president of account security at MFA vendor Authy, said the pandemic also highlighted the importance of MFA for consumers.
"The pandemic led to an acceleration from physical to digital, and ultimately furthered the mobile-first movement," Goldsmid said in an email to SearchSecurity. "Consumers found new ways to get things done online (e.g. banking, buying groceries, ordering takeout) and often needed to create a new account to conduct business. IBM found that consumers' reliance on digital channels increased significantly during the pandemic, with individuals creating an average of 15 new online accounts during that time. With this, a new problem emerged: the potential for fraud at the sign-up stage."
Now, some companies have implemented MFA mandates for users and employees alike. Goldsmid noted that other governments are already beginning to implement MFA requirements.
"New Jersey has recently passed new legislation requiring all sports betting and gaming operators to implement 2FA, and we can expect additional states and countries to follow suit," he said. "The EU passed the PSD [Payment Services Directive] 2 legislation requiring strong customer authentication for transactions over a certain dollar value to protect the consumer from fraudulent or unauthorized purchases."
Advantages of MFA
Despite the protection provided, MFA adoption has faced adoption challenges over the years; consumers and employees often viewed the extra step of receiving a text message or email with a one-time password (OTP) as a cumbersome and unnecessary step for the login process.
But some of the views may have shifted during the pandemic as employees have embraced remote work. Sumit Bahl, Okta's director of workforce identity security, described what he sees as the upside of having to use MFA.
"I think that for most employees if you give them the chance to work from anywhere on the planet, and the tradeoff is that they are going to use a second factor, I think that most employees would be comfortable with that," Bahl said. "If we're talking about something that's baked into your mobile device or is really the same way that you have to interact with your own mobile banking app, we're not talking about a great inconvenience and so the tradeoff is there even on the individual level."
On the threat side of the equation, MFA has proven to be effective in protecting accounts and limiting the potential damage of exposed credentials. For example, Patton said MFA can be the difference between exposed credentials and a full-blown breach.
"You may still have a phish that occurs where someone gives up their password, but they're not likely to give up their password and the second factor at the same time," Patton said. "Now we are seeing the kinds of phishing attacks that that are targeting the authentication factor, but they are typically not also getting in the password at the same time. So you're just making it that much more difficult for an attacker to be able to get to get into the systems that the MFA is trying to protect."
Patton also said the cost effectiveness of deploying MFA is a major plus for enterprises. "When you look at the data in terms of companies that have MFA and suffer consequences from phishing and other kinds of hacking versus the companies that don't, it pays for itself," she said. "Yes, there is an outlay of expense to get it done. But even if there's an outlay, it is still worth it because the cost of dealing with an incident and recovering from an incident is so much more than what you would pay for MFA."
MFA hesitancy
While MFA provides an effective protection for accounts, there are still many organizations who have yet to fully commit to the concept.
Patton said concerns about the user experience, specifically the time it takes to authenticate individuals, is one of the main sticking points for groups that are reluctant to employ it.
"Usually, it was the customer interface experience and a perception that it would negatively impact that was the primary objection," Patton said, adding that operational costs to support a well-functioning MFA system can also be a concern.
Subpar usability of MFA deployments was a frequent complaint that Bahl found when discussing the service with customers in the past. He said that people took issue with how often they would have to authenticate themselves or that sometimes they would need their mobile devices to authenticate but the devices were nowhere to be found.
"Adding 2FA/MFA can result in additional friction for the end-user," Goldsmid said. "Growth and acquisition teams want to build user flows that enable consumers to speed through sign-up or transactions -- and want to remove as many friction points as possible."
Another issue for MFA is that common forms are not totally secure. In 2017, the National Institute of Standards and Technology deprecated SMS-based MFA, for example, and recommended that users move towards other authentication factors. More recently, companies such as Microsoft have also removed support got two-way SMS authentication over concerns that text messages with OTPs could be intercepted. While many security experts say SMS-based MFA is still better than no MFA, many vendors have introduced dedicated authentication apps for mobile devices and other, more secure means for verifying logins.
Future of MFA
While some are still hesitant to use MFA, countless organizations from technology enterprises to public universities have adopted the tool, and easier ways to authenticate individuals are being developed. Both private and public sector organizations are further pushing the security landscape towards the service with user and/or employee policies that require MFA.
"If you look at the whole industry right now, cyber insurance providers are requiring multifactor authentication [for policies]," Bahl said. "If you look at Biden's executive order to improve federal cybersecurity, they want to lead by example and they are shifting to MFA. Salesforce is now requiring their customers to enable multifactor authentication to access apps and services. Apple is going to the same route. There is a shift that is happening when all of these high-level trends are driving companies to think about multifactor authentication."
GitHub was one of the most recent companies to make the move. In a recent statement, the group announced that it would begin to require two-factor authentication (2FA) in 2023 to make its code repository service more secure.
Many universities both in the United States and abroad require MFA in order to secure both employee and student data. Some of these schools include Northwestern University, the University of Bristol, the University of Maryland and Washington State University.
While MFA is becoming more commonplace, identity and access management vendors have a bigger long-term goal: passwordless authentication.
Jason Oeltjen, vice president of product management at Ping Identity, said the transition away from passwords will require more than just alternate authentication factors.
"To be successful, multifactor and passwordless authentication will increasingly be coupled with intelligence, which will use factors transparent to the user to help determine valid login attempts," Oeltjen said in an email to SearchSecurity. "These intelligence engines continually monitor and can recognize humans versus bots, along with many other bad actor login attempts, through machine learning and pattern recognition."
Okta Verify, an app that can be installed on a mobile device, is a common authentication factor for Okta users. Bahl said that he is seeing the use of Okta Verify and its Fast Pass service, which implements biometric login as one of the main authentication methods. According to Okta, 85% of its customers are now using Okta Verify for their authentication.
Patton also identified passwordless authentication and specifically the use of biometrics as driving the next wave of MFA technology, thanks in part to increasing support for industry standards like the Fast Identity Online Alliance (FIDO).
"We're certainly seeing the rise of biometrics," Patton said. " It's a more secure solution than it used to be, and there are FIDO standards that support hardware-based biometrics that have been published -- this is what Duo and Cisco are basing their passwordless authentication on, and this is what Microsoft and others are basing it on. The standards are better, the hardware biometrics are better and it's easier for the for a consumer to use."