Corporate personnel and consumers have likely experienced one or more waves of multi-factor authentication (MFA) adoption firsthand.
The first wave of MFA was driven by the adoption of Zero Trust during the work-from-anywhere era. As out-of-office staff connected to a variety of cloud-based services via corporate and BYOD devices, there was an added need to confirm that a user trying to access these corporate resources was who they said they were.
Recently, a second wave of MFA adoptions occurred in the wake of several high-profile cyber attacks and data breaches in Australia. At least one of these attacks saw a legitimate set of credentials exploited to access and export data. And a number of organizations initiated urgent security reviews after these attacks.
One of the action points was to confirm that existing MFA implementations are effective in the final corporate environment. Another was the rapid deployment of MFA in organizations that were largely under-equipped.
The short version is as follows. not everyone has an MFA, and even those who do may not be right yet.
Where the MFA goes wrong
Some organizations put MFA on top of everything, though not in a user-friendly or user-centric way.
This is evident in the number of MFA prompts and push notifications being created and sent. We saw first-hand that a customer had over 240 MFA-enabled apps generating almost 40,000 messages per day, where about 65 percent were excessive and likely annoying users. This is not uncommon for organizations with a regional Asia Pacific presence. Small and medium-sized companies also disproportionately face the same type of challenges.
The phenomenon of MFA fatigue is a real problem in these types of scenarios. MFA’s constant push notifications and verification prompts are seen as a hindrance to productivity. Users associate them, and security in general, as a nuisance. They stop paying close attention and click on clues. Attackers have understood this and used MFA fatigue to malicious effect. last year’s Uber breach was a prime example.
It is also clear from the surveys that the implementation of the Ministry of Foreign Affairs is not up to the mark. A recent consumer survey found that only 35 per cent of Australians would rate their experience accessing online services as “very efficient”. Two-thirds remained weak. Additionally, many understood the value proposition of MFA and wanted it to be used for account and data protection, as long as it didn’t compromise convenience or the overall user experience.
With today’s consumer-driven experiences in demand in the workplace, it’s likely that these results will show up in the enterprise space as well. Employees have no problem with MFA as long as it does not create inconvenience.
Getting the MFA right
Increasingly, what sets businesses apart in their MFA implementations is the customer- or employee-centric focus and how it’s connected.
This people-centric ethos is already permeating many parts of organizations. Technology teams use human-centered design (HCD) techniques when defining new systems to improve use and adoption. Customer-facing parts of organizations, especially in highly regulated industries such as banking and telecommunications, are investing heavily in KYC – know-your-customer – processes, both to reduce risk and to personalize offers.
Security, and especially the Foreign Ministry, should be treated the same way. This occurs through risk-based authentication layering in the MFA system, which uses pre-programmed intelligence to assess whether or not a user poses a threat and needs to be prompted to re-authenticate.
A good risk-based authentication engine is able to collect dozens of signals about users that can be used to identify them, whether they are accessing from a device or network they always use, what application they want to access, and what geographic location;
Risk-based authentication learns the patterns of each user and assesses the risk of user requests and actions. The MFA policy uses this risk score to decide whether to approve/deny/reject authentication and to decide which type of MFA to use in different scenarios.
Organizations can define risk profiles according to their risk appetite. If person x uses another device in the same physical location over a known network, this may be allowed without an MFA challenge. However, if the same person tries to use a new, unrecognized device to access HR or payroll systems or data, the risk profile may dictate that an MFA challenge be triggered to confirm that the user is who they say they are and that their access to those systems is justified. is
As a user, such a system builds trust. When I travel to another country and sign in from another jurisdiction, I feel good knowing that the risk engine has noticed a significant change in my behavior and I am asked to go to the MFA and sign in all my applications again. .
MFA remains the simplest thing organizations can do to improve their security posture for employees and customers. By combining MFA with a really good risk engine, organizations can limit fatigue and turn friction or frustration into meaningful protection against a wide range of cyber threats.
Follow our stories on LinkedIn Twitter:Facebook and Instagram.