President Biden’s Executive Order on securing federal agencies and critical infrastructures has created momentum for multifactor authentication (MFA). All government and private organizations are required to “adopt multi-factor authentication and encryption for data at rest and in transit, to the maximum extent consistent with Federal records laws and other applicable laws.”
Although machine identities are required to establish trusted communications between dispersed devices and services, multifactor authentication is also essential to protect apps and services from unauthorized access. Machine identity management and multifactor authentication are a key part of a zero-trust security strategy.
While many vendors offer MFA solutions, the question is often “what is the best solution?” However, this post is not going to evaluate vendors but will provide some guidelines on how to select the best MFA solution.
How and where is MFA deployed?
The acceleration of cloud migration and the proliferation of containers, microservices and IoT devices have placed machine identities at the center of corporate security, making identity and access management (IAM) as important as never before. The level and speed of disruption and the subsequent accelerated adoption of multiple cloud platforms have pushed security teams to their limits by making it ever more difficult to apply appropriate levels of authentication at multiple entry points.
These changes have also encouraged organizations to re-evaluate the state of existing user authentication mechanisms, and many are looking to evolve their authentication approaches. In the process, organizations have realized that in-place IAM implementations have not been adequate to support and secure new business models. Hence, the necessity to evolve access controls is crucial for business continuity and resilience.
Multifactor authentication is an important component of strong authentication. A recent survey by Thales indicates that 55% of the respondents have adopted two-factor authentication. According to the same report, MFA was deployed mostly in areas that are evaluated as high risk. For example, access to corporate data by remote workforce was secured with MFA at 71% of surveyed organizations, while half of these businesses used MFA to secure their supply chains.
What are the criteria to select an MFA solution?
Authentication establishes confidence that the claimant’s identity is validated when they log onto an app or service by possessing one or more authentication factors that are bound to their digital identity. However, authentication does not determine the individual’s authorizations or access privileges.
Multifactor authentication solutions help organizations to improve their overall level of security by requiring each user to prove their identity using various authentication methods before they can access sensitive information, applications or devices. This helps protect against attackers having unauthorized access to sensitive company data.
These authentication factors are:
- Knowledge factor (“something you know”), when you show that you know certain information, such as PINs or passwords.
- Possession factor (“something you have”), where you prove that you have a certain physical device on you, such as a smartphone or a USB token.
- Inherence factor (“something you are”), when the system accepts you by using biometrics, such as fingerprints and behavioral biometry.
Multifactor authentication refers to the use of more than one of the above factors. The strength of authentication systems is largely determined by the authentication technology deployed and the number of factors incorporated by the system—the more factors employed, the more robust the authentication system.
The best MFA solutions will combine these factors using a combination of biometric and contextual features that increase security through adaptive authentication while ensuring that the log-in process remains as smooth as possible. The best solutions should also be easy to manage, and easy to deploy across an organization at scale by being able to protect both cloud and on-premises applications. Therefore, balancing security with usability is an important criterion for selecting an MFA solution.
Ultimately, there are many more factors that need to be considered, besides user experience and access security, to include:
- The criticality of the machine—device, application, service—to be accessed
- The user’s geographic location
- The role and privileges of the user
- The sensitivity of the data
Multifactor authentication complements machine identities
In today’s environment, an organization’s authentication solution should not be monolithic. Multifactor authentication should work hand in hand with a robust machine identity management program to ensure that digital initiatives are protected and protect the success of businesses.
The variety of available authentication methods—be it for users or for machines—allows organizations to employ standards-based, pluggable authentication solutions based on mission needs. Stronger user authentication and strong machine identity management requires malicious actors to have better capabilities and expend greater resources to successfully subvert machine processes. Strong authentication of users and machines can effectively reduce the risk of attacks.