Multi-factor authentication (MFA) has been a key component of the modern enterprise security architecture. An increasing number of standards, such as the NIST 800-63 series, the Mitre D3FEND framework, and more specific standards such as the PCI-DSS for financial processing, all promote the use of MFA for improved security.
Authentication of individuals focuses upon something they have (a possession factor), something they know (a knowledge factor like a password or PIN) and something they are (an inherence factor, often based on biometrics). MFA would require at least two of the 3 methods. For over 40 years, authentication for most commercial systems has leveraged usernames and passwords, but a quick Google search for ‘why are passwords bad’ results in 24.8 million hits. The security and usability limitations of password-based authentication are well known, and have resulted in organizations switching to MFA to improve security and user happiness.
A key factor already improving organisational security practice is the removal of friction and usability constraints with user login events or security challenges.
Over the last 5 years, we have seen a myriad of software-based approaches to MFA, including both the app-based one time password (OTP) generator and the use of push notifications. The other semi-soft approaches many are familiar with include the sending of an OTP via an SMS text message or email. However, both approaches are actively discouraged by the likes of NIST due to vulnerabilities in how the OTP is delivered.
But with the constant hum of omnipresent technology and an ‘always on’ mentality with respect to work and online activity, are we facing app fatigue? The barrage of online material, social media, content, and advertising is driving many to reach for the ‘do not disturb’ functionality for larger periods of the day in order to remove distractions. The use of push notifications for both messaging and advertising could well be creating a ‘snow blindness’ when it comes to parallel notifications referring to login and security events.
The increased use of interruption techniques to grab the attention of the end user could well be to the detriment of organisational security, due to a potential increased lack of care and attention and continual acceptance of inbound messaging. In short, users respond affirmatively to any notification or security alert in order to clear it from the influx, without noticing those which are genuine threats.
Hardware MFA typically comes in the form of smart cards, USB security keys, and OTP generators. Many organisations have leveraged hardware-based security for the most high-risk users and events – but the rollout was often quite focused, due to cost, complexity, or as the result of impact and likelihood calculations performed during risk management.
The main benefits of hardware-based approaches were improved tamper resistance and difficulty of cloning. The flip side was the need for a new operating model to handle hardware issuance, and of course the inevitable device loss use case; either through theft, misplacement, or damage.
The typical hardware MFA landscape amplifies the security and usability paradox – how can you improve one aspect without impacting the other?
Hardware seems to improve security, but brings with it operational costs and potentially a more intrusive user experience – especially with respect to the onboarding and reset aspects of the credential life cycle.
Is it possible to combine the benefits of software (speed to market, low marginal cost of per-user installation, and simpler upgrades and updates) with the benefits of hardware (improved security and a reduced reliance on notifications and application interruptions)?
We are starting to see a movement towards password-free authentication modalities – where the authentication event still contains two of the 3 authentication components, but does not start with or rely upon a shared secret. Biometrics as the inherence factor, via a native application associated with the mobile device, and the mobile device itself acting as the possession factor. These are the most common.
Can the possession factor, which relies on the hardware of the device, the SIM card, and services integrated to the mobile network operator, be leveraged further to provide more hardware-enhanced security?
An ideal approach is to combine the benefits of improved security from hardware with the factors that contribute to end user happiness from software. Can a blended end user experience be achieved by leveraging existing hardware components rather than requiring new ones, and provide a user experience that’s more secure and less onerous?
Furthermore, any analysis of an MFA method or credential-based authentication solution should consider how the chosen modality fares against the life cycle of its use – from enrolment right through to removal and disposal.
On the end user side, we are entering a phase where MFA usage is being triggered by more and more external events, both for consumers – who are making purchases, performing online transactions and sharing PII – and company employees, with the increased onset of zero trust networking and distributed working patterns.
As a result, the chosen authentication modality requires end user self-sufficiency for the addition and reset use cases, and offers improved security and operational management from a service perspective.
Simon Moffatt is Founder & Analyst at The Cyber Hut. He is a published author with over 20 years experience within the cyber and identity and access management sectors. His most recent book, “Consumer Identity & Access Management: Design Fundamentals”, is available on Amazon. He is a CISSP, CCSP, CEH and CISA. He is also a part-time postgraduate on the GCHQ certified MSc. Information Security at Royal Holloway University, UK. His 2021 research diary focuses upon “How To Kill The Password”, “Next Generation Authorization Technology” and “How IAM Countermeasures Can Defend Against Cyberwar”. For further information see here.
The Cyber Hut is a leading industry analyst firm focused on identity, access and cyber security technology. A UK firm with a global reach, they specialise in helping both the buy side and sell side optimize their understanding of complex cyber security solutions. For further information see here.