BUSINESS SURVEILLANCE
This begs the questions : how can organisations protect against this kind of attack ; and what protections does MFA provide to secure business ?
A passwordless future
The username and password system that forms a large part of professional and personal digital security is not a robust protection against modern-day attacks . For instance , it is susceptible to brute-force attacks ( where hackers gain access by repeatedly trying passwords until they guess the right one ). Because passwords are already too weak , it is not an overstatement to say that they do not have the same prominent place as they currently do in the future . Instead , organisations must move to passwordless technologies where users authenticate themselves through means that are much harder to hack .
Such passwordless technologies are an example of MFA that offers benefits not found in previous MFA technology options . MFA requires at least two proofs of identification :
1 . Something you know ( i . e . knowledge factors )
2 . Something you have ( i . e . possession factors )
3 . Something you are ( i . e . inherence and location factors )
Authenticating a user ’ s identity in at least two of these different ways is critical in securing access to privileged information .
Knowledge factors include usernames , passwords , PINs and security questions ; possession factors refer to bank or ID cards , security tokens , one-time passwords and smartphones ; inherence factors involve fingerprints , facial and voice recognition , retina scans and even users ’ keyboard patterns ; and location factors will not typically be inputted by a user , but instead determined automatically through geo-positioning .
By definition , MFA will vary the factors used to authenticate the user . For instance , a password followed by a digital code ( which can only be used once ) that ’ s sent to the user ’ s phone proves the user knows their password and has a physical phone .
At some point , a user has to obtain multiple proofs of their identity in order to use MFA . This is obvious . What is not as apparent , however , is the fact that the allowance of a user to do this on their own behalf may increase security but it does not increase the assurance that they are who they say they are . In other words , this user-established MFA decreases the chance of account takeover , but does not increase the confidence that the user is who they claim to be . Identity assurance can only be increased if the proof , the factor , is verified by some trusted entity besides the user themselves . For instance , in banking security , a user will need to present themselves at a bank with approved ID in order to receive a device and a PIN . When the PIN is entered into this device , it will create special codes that the user can use to unlock new features or access sensitive information . In this way , the device coupled with the user ’ s password is not only making it harder for an attacker to steal their identity ; it is also giving computer systems greater confidence in the actual identity of the user because they were verified in person at the bank branch .
Balancing security and usability
Ideal MFA systems combine security with good usability . Maintaining security is crucial ; User Experience ( UX ) is also critical and businesses don ’ t want to lose customers or slow down teams through unnecessarily complex authentication . As such , organisations need to find a
Organisations must move to passwordless technologies where users authenticate themselves through means that are much harder to hack .
balance between security and usability . Step-up authentication is one way of achieving this . Currently , step-up authentication is where organisations should be focusing their attention .
Beyond this , organisations should deploy continuous and adaptive techniques to reduce the need for additional factors of authentication when it is possible to be more confident that the user is genuine . One way of doing this is by placing time restrictions on different authentication factors . If a user continues to use the same browser or a trusted device , for instance , they may not be required to authenticate themselves with a second factor for a week . If , however , it is noticed that the user ’ s behavior changes in an unusual manner , step-up authentication can be imposed . This kind of adaptive authentication method is important to avoid ‘ MFA fatigue ’. Users that continually get bombarded to provide an additional factor may routinely accept challenges and fall victim to ‘ MFA prompt bombing ’. Smartly reducing the number of times that a user must provide additional proof of their identity is an important next step for organisations . By proceeding in this manner , the future will be passwordless . u
www . intelligentciso . com
65