“At the very least, organisations should be using MFA to protect users. Everyone talks about how easy passwords are to defeat as a security mechanism, yet we have a very low penetration level in most organisations of MFA,” said Alex Weinert, program manager at Microsoft.
“I would say MFA is the one thing to do to keep users safe if [organisations] haven’t done so already. That would be my first tower of defense when it comes to preventing customers and employees from falling victim to hackers,” he said.
Anmol Singh, lead analyst at KuppingerCole, agreed, adding that it is important for organisations implementing MFA to consider the composition of MFA very carefully.
“They need to understand that each of the two, three or more factors can be used to discover different kinds of risks,” he said. “And when choosing which factors to use, they should ensure that these cover the most serious risks to their particular organisation or business.”
It is about deciding which factors to use and when, said Martin Kuppinger, principal analyst at KuppingerCole. “MFA systems, by definition, should support as many authentication indicators as possible to enable organisations to choose and adapt to particular needs of their business and users,” he said.
John Tolbert, lead analyst at KuppingerCole, said that in deploying MFA, organisations should look at the various risk levels they are facing and the importance of what they are trying to protect.
“For example, if a financial services provider were to implement an MFA system requiring a password and just some knowledge-based form of identification, that would just be a bad idea, not true MFA.
“Policies are important to set out what combinations of factors are required for each type of transaction to ensure appropriate levels of authentication assurance and identity assurance,” he said.
Tolbert said it is important to ensure that the risk and required assurance are mapped accurately. “While people do not want any more friction in their transactions than necessary, they also want to know that there are appropriate levels of stepped-up assurance for higher value transactions,” he said.
Another important thing to consider, added Tolbert, is environmental factors such as the geographical location of the person logging in and whether or not they are using a known and trusted device, as well as whether the user behaviour pattern is normal or not.
Working with zero trust and AI
The next level up of protection for users, said Kuppinger, is the use of the notion or security models of zero trust. “This is where all these things come together because it is about using more information to make things more secure,” he said.
In the context of authentication, Tolbert said implementing a zero-trust approach typically requires authentication and authorisation for any and every user and device on the network for every application that they are accessing.
“With zero trust, people often get too wrapped up in the network side of things. It is more than network segmentation or VPN [virtual private network] modernisation. It is about combining the different environmental factors around users, networks, applications and devices, and then treating them as if they are un-trusted,” he added.
A zero-trust approach, said Weinert, provides the opportunity for combining a wide variety of elements with network-based and credential-based algorithms to reach a much higher level of precision or “triangulation”, which he described as “super valuable”.
Another important consideration in the face of the increasingly number of cyber attacks that is making it difficult to track what is going on in an organisation – especially during the authentication and authorisation processes because of the vast amount of data involved – is the application of artificial intelligence (AI), said Matthias Reinwarth, senior analyst at KuppingerCole.
“By analysing that data, organisations can apply more intelligent measures aimed at detecting patterns and identifying any anomalies, and it is in this context that a growing number of organisations are beginning to apply machine learning [ML] and deep learning technologies.”
In this way, said Reinwarth, organisations are able to put themselves in a better position to identify potential security breaches and respond in an informed way. “In an ideal world, this could even be used for automated security incident responses,” he said.
Read more about multifactor authentication
- Some of the best multifactor authentication products currently on the market based on target industry and main features.
- Protect your organisation from financial and client loss with multifactor authentication tools that keep your company safe from potential cyber attacks.
- Explore options for enabling and managing multifactor authentication in public clouds like AWS and Azure.
Similarly, said Singh, AI technologies could be used to step up authentication when necessary and select the most appropriate authentication factors in any given situation. “Over time, these technologies will be able to learn what combinations prove to be the most effective in particular situations.
“Another application of these technologies would be to provide continual assurance in terms of authentication throughout the whole session, and not just at the start,” he said.
Further application of AI, said Weinert, could be to help organisations fine-tune their identity and authentication policies based on observations of real use cases.
“For example, AI could be used to identify situations where service accounts do not have the appropriate MFA requirements and other constraints applied to ensure better governance, or ML could be applied to identify risky behaviours and then used to build the appropriate constraints around that,” he added.
Application of AI, specifically ML, around authentication enables organisations to see patterns between markets and sectors, said Weinert.
“Someone in healthcare, for example, may have similar roles and responsibilities as someone else in healthcare, and so the training can benefit all those in the sector with similarities. Typically, a medium-sized organisation with a medium level of activity is generating a lot of valuable data,” he said.
“Organisations definitely should be using MFA today rather than relying on usernames and passwords,” said Kuppinger, summing up the panel discussion.
“I would say 90% or more of websites still rely on usernames and passwords to protect users, but that is really not enough. They should be using MFA in combination with environmental elements and security models like zero trust, as well as technologies such as ML and AI.”
Kuppinger encouraged organisations to use the data available to them to combine and analyse multiple signals to help build the most effective defenses for users.
“We have more data, but we also process more data than ever before, which enables us to do things we weren’t able to do in the past, and to do them in near real time, which is necessary for effective protection,” he said.
Read more about zero trust
- A zero-trust model is better suited to the 21st century, according to the originator of the idea.
- The zero-trust security model is more than just products and network segmentation, it’s an architectural design principle with identity at its core.
- The zero-trust model of security is finally gaining traction as security professionals tap into new tools and executive buy-in to support this approach.