Posted on July 19, 2018
Security may be high on the agenda of many but there still seems to be a lot of myths surrounding this topic. The fact remains that most organisations are rather stuck in their ways, having a misperception of security which can be largely attributed to group-think. This group-think often enforces bad habits or closes an organisation off to making change in a positive direction.
It should be obvious to all of us by now that leveraging multi-factor authentication (MFA) is a foregone conclusion. Expert analysis of nearly every recent breach shows consensus that if there had been an additional authentication factor, these breaches might have been stopped. This may sound familiar:
- We have it, but it’s limited in use; only for admins connecting to the VPN
- We had it for a while, but were asked to disable it due to user frustration
- It’s such a nuisance, we don’t want to bother our users with it
There are so many poorly designed MFA solutions on the market that if you approach your project without being aware of the pitfalls, you might find yourself in the same position. To put it simply, the myth that users hate MFA is confirmed, but there are some simple solutions to this problem.
Stop harassing your users
Imagine this: you connect to a secure company application from home and are presented with an MFA challenge. After pulling out your phone and typing in the code, you are granted access. However, you are suddenly prompted to install a software update which requires a restart of your system and you have to repeat all the steps once again. This constant “bludgeoning of users with MFA” would drive anyone crazy.
It doesn’t have to be this way.
If you are not already using or planning to use risk-based adaptive authentication to make your MFA decisions, then you should be. Risk-based MFA uses what the industry refers to as ‘behavioural analytics’ or BA. To put it simply, BA is a process by which a security engine can establish a forensic profile about every one of your users, which includes items like the following:
- Does this user belong to a risky group, like an admin group or DBA team?
- Have I seen this user/browser combination before?
- Is the user connecting during a typical time window?
- Is the user violating any geographical rules, like a blocked nation or geo-velocity rules?
There are many more indicators of whether a user is exhibiting strange behaviour. Although, when combined with other factors like blacklists, whitelists, network rules and more, an adaptive risk-engine will do one of three things:
- Prompt suspicious behaviour for MFA
- Allow users with low risk on the network
- Block those that are an obvious threat
When applied correctly, even the user in question will agree that the prompt they saw makes sense. It is similar to when you are travelling out of the country and your credit card company messages you asking if the purchase in Dubai was actually you, the customer is grateful for the diligence of the credit card company and happily confirms. You can have this relationship with MFA and your users too, as long as you aren’t bludgeoning them with MFA.