The authentication process has mostly moved past these unsafe means and resorted to biometrics, security tokens, blockchain, and multifactor authentication.
Security issues still persist, however. Biometrics, for all their benefits, can lead to privacy breaches, and all it takes is a semi-skilled hacker with a 2D or 3D mask of a victim’s face.
While blockchain has the potential to become big, it will take time before it becomes sustainable. Right now, the main challenge with blockchain is building trust between different parties, including sponsors and parties that recognize them as trusted sponsors.
In the meantime, multifactor authentication, 2FA in particular, used by the likes of Google, Amazon, Facebook, WhatsApp, Instagram, and other industries’ leaders, gets the job done.
A recent, year-long study done by Google and experts from the New York University and the University of California found that Google’s on-device prompts, a more secure replacement for SMS, helped prevent 100% of automated bots, 99% of bulk phishing attacks, and 90% of targeted attacks.
Up until now, multifactor authentication seemed to be the best we’ve got.
But it has become clear that MFA too has its flaws. Its most prominent disadvantage is using only static security policies.
The issue with static security policies (such as predefined user roles, day/hour, location, device, which remain constant) is that they create room for security loops and overly burden user experience.
For example, under a static policy, a single location would impose the same authentication requirements each time, regardless of the device or the user.
This is a two-faceted problem as 1) these security requirements can be easily hacked, and 2) user experience would be damaged. With a static policy, a person attempting to access their office network from their company smartphone would be asked to meet security requirements each time they try to log-in.
This lack of context-awareness has lead industry pioneers to try and improve the MFA methods in place. So they created A-MFA, adaptive multi-factor authentication, and this new method manages to hit the sweet spot.
Why adaptive?
For all their security factors, the existing MFA systems use static policies in selecting authentication factors. The problem is that they fail to consider the dynamic nature of the operating environment.
People and devices move constantly, and so must authentication factors. Security is no longer just about the factors you possess or know, but mostly about context.
A-MFA makes use of the environment, user, and device, to generate security requirements that need to be met at all times for authentication to happen. If one of the conditions changes, the requirements change instantly as well, so there are no taking chances.
The second reason for MFA failing is that it often creates friction for users, as they are repeatedly prompted to enter authentication factors on their devices. This is commendable from the point of staying safe, but each tiny customer frustration can, as a sum, seriously hamper the user experience.
This is even more pronounced in the corporate setting. Each time employees are asked to provide the authentication factor, their productivity slumps. They waste time on many logins, and the system is also overburdened, having to handle hundreds of logins per second.
So it was obvious that MFA needs to evolve and adapt. The question was in which directions.
One, the current dynamics of devices usage demands that people jump between accounts, networks, and devices. People want (and need) it to be seamless. This requires an authentication framework that does an adaptive selection of multiple modalities in different operating environments. Authentication strategy as this one is unpredictable to hackers.
Two – we needed both secure and user-friendly solution. Users want a solution that keeps their accounts safe. At the same time, they are not likely to fully embrace something that’s high-maintenance. This relates to constant prompts at each step of the way.
A flow interrupted by prompts discourages users from using MFA. It might be hard to believe, but it seems that even the most basic 2FA methods put users off, as shown by the fact that 90% of Google users don’t use Google’s 2FA.
The reasons behind this number can vary, from plain disinterest to overt confidence in password strength. Still, it’s clear that the ease of use plays a major role in how widespread a solution will become.
Context is king
A-MFA’s main advantage is contextualized authentication. This allows hitting the sweet spot between needed security and smooth experience.
In essence, A-MFA creates different requirements that need to be met. They depend on the context in which the user is trying to authenticate.
Each context entails a different risk level, according to which the A-MFA methods adapt the authentication requirements.
This eliminates the one-size-fits-all authentication, removing the burden off of low-risk activities and tightening the reins in case of high risk.
User’s security experience is enhanced as A-MFA removes needlessly heavy-handed authentication.
A-MFA solves BYOD issues
A-MFA creates access challenges intelligently, and so allows users to make the most out of their tools and gadgets. This includes using their own devices.
With current 2FA methods, BYOD policies can quickly turn into security breaches. If a user tries to log into their accounts from their own devices outside of the office, from a less safe network, hackers can make their way in.
On the other hand, A-MFA allows companies to tap into the BYOD market, projected to exceed $360 bn in worth by 2022. A-MFA would let companies adopt BYOD policies, without jeopardizing quality. This helps them streamline expenses through the mobile workforce and BYOD workers.
If the user works from a work computer in the head office, A-MFA might require only a password or username. The network is already well protected!
Meanwhile, if a user tries to access the company network via their smartphone through public wifi in a cafe, A-MFA would recognize the risk and impose more stringer access requirements.
Evolve in line with business needs
With A-MFA, companies can expand their remote and mobile workforce, and provide flexibility to employees. This makes significant savings by reducing the costs of hardware and software purchases.
The adaptive authentication method would keep companies and employees secure and safe, but allow them enough flexibility, without harming productivity.
If there is a risk of a cybersecurity threat, A-MFA allows locking down only targeted parts of the network. Other business parts continue to work without impediments.
Security needs to keep adapting
Instead of applying risk evaluation only during the authentication process once, adaptive MFA continuously evaluates risk, as part of the process.
A-MFA continues to access information to determine whether to allow any request for a resource. By monitoring post-login activities, adaptive systems keep users and companies safe throughout network and device usage.
And the need for such a solution is highlighted even more amidst the sobering reality that hackers only need access to a single email account to wreak havoc across company’s websites, servers, browsers, portals, and application.
To prevent this from happening, companies need protection that adapts.
