James Thew - Fotolia
MFA for the people
Jonathan Whitley from WatchGuard Technologies explores why many resellers and SMEs have paid lip service to multi-factor authentication and what needs to change to make it a ‘no-brainer’ component of any security solution
According to Verizon’s 2017 data breach investigation report, 81% of breaches in 2017 involved stolen or weak passwords.
This is not surprising when we are told that the average user has 90 online accounts, and despite efforts to raise awareness, poor password practice is still the norm rather than the exception. But let’s face it, we all struggle with remembering a multitude of long, complex and secure passwords.
Companies know the problems they face. According to a recent survey led by independent market research firm Cite Research, IT decision makers at companies of up to 1,000 employees believe that 47% of their employees use weak passwords and 31% believe employees use the same network passwords for personal applications.
This means that cyber criminals can utilise a variety of techniques to acquire usernames and passwords, such as phishing, social engineering and buying stolen credentials on the dark web, to gain network access.
With the realisation that people will always be a weak link, it is not surprising that 84% of surveyed IT managers would prefer to enforce password best practices by using technology solutions rather than relying on password policies and training.
Therefore, the use of multi-factor authentication (MFA) should be a no-brainer, and it should be a simple value-add, up-sell for resellers and value-added resellers.
But in the same survey of business owners and IT managers, respondents expressed concerns with the costs, complexity and difficulty of deployment associated with MFA. In fact, 61% felt that MFA solutions were designed for the larger enterprises, and would be too expensive and cumbersome to manage with their limited IT resources.
In another report from systems provider Rapid 7, only 15% of companies were found to be using MFA technology during their security audits. The more basic practice of setting an account lockout – restricting incorrect password attempts to deter or slow brute-force attacks – was missing on almost one in five networks tested.
It appears that despite the endless headlines over the past decade suggesting that passwords are dead, it is far from the case. While the argument for MFA is compelling, traditional MFA systems have been too expensive and complex, particularly for small to medium-sized enterprises.
At the same time, MFA has the reputation as being a hassle for users. Adding something that will be annoying and frustrating may simply drive the IT department to avoid conflict altogether or buy their products somewhere else.
The answer may lie in the cloud, as cloud-based MFA requires no on-premise equipment, which cuts down on costly deployment and management activities.
Meanwhile, the added choice of modern authentication methods – including push notifications, one-time-passwords or QR codes to a mobile device – provides good security combined with an improved user experience.
For resellers and managed security service providers, a cloud-based architecture allows them to easily onboard new customers, allocate licenses, segment permissions and report on activity from a single interface – taking the hassle away from the customer.
Furthermore, the use of the Security Assertion Markup Language (SAML) standard allows users to log on just once to access a full range of applications and services, which makes life easier.
If we are to significantly reduce the number of breaches from poor password practice, vendors must not simply talk about the need for MFA. They need to step up to the plate to deliver MFA for the masses, which allows resellers to deliver solutions that are affordable, easy to roll out and manage at any scale and does not provide friction for the users.
We all know it makes sense, so hopefully things may start to change.