Hackers count on people being lazy with their passwords. It’s a problem with organizations of every size and type, including industry giants like Google. People who find it too much of a hassle to toss an aluminum can into the recycling bin right next to the trash bin have no problem recycling the same password across multiple accounts for years.
Reducing risk involves combining authentication processes in such a way as to ensure only the user can get to his or her data.
Facebook and Google do this by having users confirm authentication from their phones every time their account is accessed from an unrecognized device. This requires hackers to have physical access to the accountholder’s phone, which is unlikely. The password as a sole form of identity verification is dead, or at least on life support. Multifactor authentication is taking over as the new normal.
“But who’s going to know my dog’s zodiac sign and my zip code? Hang on, I’m doing a survey on Facebook.”
What Is Multifactor Authentication?
Multifactor authentication requires additional credentials beyond username and password for gaining access to an application, site, or data. There are three basic elements that can be used in multifactor authentication:
• Something the user knows (like a password or PIN)
• Something the user possesses (like a smart card or mobile phone)
• Something the user is (as represented by, say, a fingerprint)
Multifactor authentication requires the use of different elements. In other words, requiring two different passwords isn’t multifactor authentication. A common technique is a website sending an access code to the user’s phone, which the user has to enter in addition to her usual password to gain access.
Benefits of Multifactor Authentication
Social engineering is still a critical technique hackers use to gain access to people’s data, accounts, or financial information. Talking someone out of a password, or other identifying information (like a Social Security number) is easier than talking someone out of a password and the special code sent to their phone. More people are suspicious enough to not allow that level of manipulation.
One of the biggest benefits of multifactor authentication, however, is that it allows organizations to use advanced security options like single sign-on, which is easier for end-users, but harder for hackers. With single sign-on, the user performs an initial multifactor authentication process. Once that’s done successfully, the end-user is admitted to their single sign-on software and can gain access to all their required apps and data without having to enter passwords or credentials each time. Taking a tiny bit of time up front every day lets end-users avoid entering passwords multiple times a day.
Challenges of Implementing Multifactor Authentication
If your organization’s never had a breach, you could face skepticism and push-back from end-users.
Overcoming end-user objections is a challenge when implementing multifactor authentication. People may think that because there’s never been a security breach, there’s no need for it. But you know better. Additional challenges to rolling out multifactor authentication include:
• Integration with the existing IT ecosystem
• Difficulty of use by end-users
• Required commitment to maintenance after rollout
Integration with existing IT infrastructure can be daunting, particularly for small organizations without the staff skills necessary for the task. Also, many third party multifactor authentication providers rely on dedicated apps and ongoing maintenance of user databases, which costs time and money.
Trends in Multifactor Authentication
Here’s what others are doing with multifactor authentication. Maybe it can help you in developing a strategy for implementing multifactor authentication in your organization.
The 2014 Global Annual Authentication Survey by SafeNet, Inc. found that 37% of organizations are now using multifactor authentication, up from 30% in 2013. The survey found that access control and authentication were considered top priorities for IT departments. In 2013, 57% of data breaches were due to malicious intent from outsiders and multifactor authentication reduces that type of risk while still ensuring end-users have the access they require.
Fifty-six percent of organizations expect most of their users to rely on multifactor authentication by 2016. Cloud solutions are becoming more popular, with 33% of organizations expressing preference for cloud-based authentication solutions, up sharply from 21% in 2013. Another one-third of organizations say they are open to using the cloud for multifactor authentication.
The username-password combination is inadequate and outdated. Despite major headlines recently about data breaches (P.F. Chang, Target, eBay, etc.), organizations continue to use password security and expect it to be sufficient. As Steve Kirsch, CEO for security vendor OneID puts it, “When you have something this fundamentally insecure, it’s not a question of if, but when you will be breached.”