When proving who you are to an identity management (IDM) system, you may have noticed that recently more and more of them are requiring an extra step besides your user ID and password, such as prompts that send codes to your phone when you log in to Gmail, Twitter, or your bank account from a device other than the one you usually use. Just make sure you don't forget the name of your first pet or where your mother was born because you'll probably need to enter that information to prove your identity. These pieces of data, required in combination with a password, are one form of multifactor authentication (MFA).
MFA isn't new. It began as physical technology; smart cards and USB dongles are two examples of devices that we required to log in to computers or software services once the correct password was entered. However, MFA has been rapidly evolving this login process to include other identifiers, such as mobile push notifications.
"Gone are the old days when companies had to deploy hardware tokens, and users got frustrated typing in six-digit codes that rotated every 60 seconds," said Tim Steinkopf, President of Centrify Corp., maker of the Centrify Identity Service . "That was expensive and a bad user experience. Now MFA is as simple as receiving a push notification to your phone." However, even the codes we receive through Short Message Service (SMS) are now frowned upon, according to Steinkopf.
"SMS is no longer a safe transport method for MFA codes as they can be intercepted," he said. "For highly sensitive resources, companies now have to consider even more secure crypto tokens that follow the new Fast IDentity Online (FIDO) Alliance standards." In addition to crypto tokens, the FIDO2 standards incorporate the World Wide Web Consortium (W3C)'s Web Authentication specification and the Client to Authenticator Protocol (CTAP). The FIDO2 standards also support user gestures using embedded biometrics such as facial recognition, fingerprint swiping, and iris scanning.
To use MFA, you'll need to incorporate a mixture of passwords and questions for devices such as smartphones, or use fingerprints and facial recognition, explained Joe Diamond, Director of Security Product Marketing Management at Okta, makers of Okta Identity Management.
"More organizations are now recognizing the security risks associated with SMS-based, one-time passwords as an MFA factor. It's quite trivial for a bad actor to 'SIM swap' and take over the mobile number," Diamond said. "Any user at risk of such a targeted attack should implement stronger second factors like a biometric factor or hard token that creates a cryptographic handshake between the device and the service."
Sometimes MFA isn't perfect. On Nov. 27, Microsoft Azure suffered an outage related to MFA due to a Domain Name System (DNS) error that caused many failed requests when users tried to sign in to services such as Active Directory .
Mobile Push Notifications
Experts see mobile push notifications as the best option of the security "factors" because it has an effective combination of security and usability. An application sends a message to a user's phone notifying the person that the service is trying to log the user in or send data.
"You're logging in to a network, and rather than entering just your password, you get pushed to your device where it says yes or no, you are trying to authenticate this device, and if you say yes, it grants you access into the network," explained Dave Lewis, Global Advisory Chief Information Security Officer (CISO) for Cisco's Duo security business, which offers mobile authentication app Duo Push. Other products offering MFA include the Yubico YubiKey 5 NFC and the Ping Identity PingOne .
Mobile push notifications lack the onetime passwords sent through SMS because these passwords can be hacked fairly easily. The encryption makes the notifications effective, according to Hed Kovetz, co-founder and CEO of MFA solution provider Silverfort.
"It's just one click, and the security is very strong because it's a whole different device," he said. "You can change the app if it's compromised, and it's fully encrypted and authenticated with modern protocols. It's not like an SMS for example, which is easily compromised because the standard is basically weak and easily breached with the Signaling System 7 (SS7) attacks and all kinds of other attacks on SMS."
MFA Incorporates Zero Trust
MFA is a key part of the Zero Trust model in which you don't trust any network users until you verify that they're legitimate. "Applying MFA is a necessary step in verifying that the user is actually who they say they are," Steinkopf said.
"MFA plays a critical role in any organization's Zero Trust maturity model, as we first need to establish user trust before we can grant access," added Okta's Diamond. "This also needs to be coupled with a centralized identity [management] strategy across all resources so that MFA policies can be paired with access policies to ensure the right users have the right access to the right resources, with as little friction as possible."
Are Passwords Being Replaced?
Many people may not be ready to abandon passwords, but if users are going to continue relying on them they'll need to be protected. In fact, Verizon's 2017 Data Breach Report revealed that 81 percent of data breaches stem from stolen passwords. Those kinds of statistics make passwords a problem for any organization looking to reliably protect its systems.
"If we can solve passwords and get [beyond] them and move into a smarter type of authentication, we will prevent most of the data breaches happening today," Silverfort's Kovetz said.
Passwords aren't likely to disappear everywhere, but they may be eliminated for specific apps, Silverfort's Kovetz noted. He said that eliminating passwords altogether for computer hardware and Internet of Things (IoT) devices would be more complex. Another reason he said complete password-less authentication may not happen so soon is because people are psychologically attached to them.
Transitioning from passwords also involves a cultural change in organizations according to Cisco's Lewis. "The push away from static passwords to MFA is a cultural shift fundamentally," Lewis said. "You're getting people to do things differently than they've done for years."
MFA Processing and Artificial Intelligence
Artificial intelligence (AI) is being used to help IDM administrators and MFA systems cope with a barrage of new login data. MFA solutions from vendors such as Silverfort apply AI to gain insights on when MFA is necessary and when it isn't.
"The AI part, when you combine it, allows you to make the initial decision of whether a specific authentication should require MFA or not," Silverfort's Kovetz said. He said the machine learning (ML) component of the app may deliver a high risk score if it detects an abnormal pattern of activity, like if an employee's account is suddenly being accessed by someone in China and the employee regularly works in the United States.
"If a user is logging in to an application from the office using their own company-issued PC, then MFA would not be required as that is 'normal,'" Centrify's Steinkopf explained. "But if that same user is traveling abroad or using someone else's device, then they would be prompted for MFA because the risk is higher." Steinkopf added that MFA is often a first step when using additional verification techniques.
CIOS are also keeping a keen eye on behavioral biometrics, which has become a growing trend in new MFA deployments. Behavorial biometrics uses software to keep track of how users type or swipe. While this sounds easy, it actually requires processing large chunks of quickly changing data, which is why vendors are employing ML to help.
"The value in ML for authentication would be to evaluate multiple complex signals, learn a baseline 'identity' of the user based on those signals, and alert on anomalies to that baseline," Okta's Diamond said. "Behavioral biometrics is an example where this can come into play. Understanding the nuances of how a user types, walks, or otherwise interacts with their device requires an advanced intelligence system to create that user profile."
With the evolution of cloud infrastructure, cloud services, and especially the high data volumes of off-premises IoT devices, there's now more than a physical perimeter at an organization's data center location. There's also a virtual perimeter that needs to protect the company's assets in the cloud. In both scenarios, identity plays a key part according to Kovetz.
"Perimeters used to be defined physically, like by the office, but today perimeters are defined by identity," Kovetz said. As perimeters disappear so do the protections that strong firewalls used to provide for wired desktop computers. MFA could be one way to replace what firewalls have traditionally done, Kovetz suggested.
"[With so much in the cloud], where do you put network security products?" Kovetz asked. "[Traditional] network security doesn't really work anymore. MFA becomes the new way of actually protecting your perimeter-less network."
One key way that MFA is evolving beyond the perimeter is through a burgeoning crowd of identity systems being sold on a Software-as-a-Service (SaaS) basis, including most of the IDM services PCMag Labs has reviewed in the past year. "The vast number of SaaS products that allow SMBs to easily get up and running already operate outside the perimeter," said Nathan Rowe, co-founder and Chief Product Officer (CPO) at data security provider Evident. The SaaS model drastically reduces both cost and deployment complexity, so it's a big help for small to midsize businesses because it reduces IT spend and overhead, according to Rowe.
SaaS solutions are certainly the future of IDM, which makes them the future of MFA as well. That's good news as even small businesses are inexorably moving to a multi-cloud and cloud service IT architecture, where having easy access to MFA and other advanced security measures will soon become mandatory.