I am used to reading articles calling for passwords to be replaced, in fact I have written a number of them myself. However, I was shocked to read the headline on DARKreading “Multi-factor IT Authentication Hampers Progress, Says 47% US Companies”. However, should I have been surprised?
Maybe yes and maybe no.
The story was based on a survey by IS Decision which indicates people working in the US are losing 22 minutes per week due to complicated security steps. It also reports that 28% of companies rejected multi-factor verification because of infrastructure issues.
Judging by conversations my team and I have with people using or running security systems of all shapes and sizes, the truth is that people can lose just as much time each week, or more, dealing with non-complicated security steps. Whether you are the worker who has forgotten his password (or failed to reset it in time), or the person working on the IT helpdesk that is handling these issues day in day out.
However, to address the issue of ‘complicated security’, I strongly suspect many of the people surveyed are talking about their experience of just one type of multi-factor system – the dreaded hard-token. Ask anyone that is still required to use a hard-token and you will get similar negative responses. Whilst I appreciate that this type of multi-factor system has for a long time delivered strong authentication, it is very much old technology, hanging around like a bad penny because it was so expensive to invest in once upon a time, and perceived to be too complex to change it now.
New approaches to multi-factor authentication have emerged that address head-on the issues of hampering progress and infrastructure. Where hard-tokens are very resource hungry in terms of cost to procure, implement and roll-out (and then the not insignificant running costs) new approaches to multi-factor leverage investments that have already been made by the organisation. Why buy thousands of hard-tokens when the mobile devices in every worker’s pocket, that they carry with them everywhere, can perform the same task? As a result, roll-out to thousands of devices (regardless of where they are in the world) can be done in minutes and hours, rather than days and weeks.
My plea to the 28% of companies that have chosen to reject multi-factor altogether is to have a closer look at the next generation of authentication solutions. It is no longer a one-size-fits-all, take it or leave it market. The latest authentication systems are affordable, scalable and flexible. A great example of this is the emergence of 1.5FA for instances where security greater than a password is required but full 2FA would be overkill.
Threats to companies are multi-faceted. What is more, industry regulators and governments are only going to get tougher and tougher on organisations that do not take the right steps to safeguard against attacks and data breaches. When running an authentication system, it should never be a trade-off between enhanced security, the user experience and productivity, and now it doesn’t have to be.
You can read the DARKreading article in full at: http://www.darkreading.com/operations/multi-factor-it-authentication-hampers-progress-say-47–us-companies/d/d-id/1326858
Hi Steven,
Glad to see our news provoking some thought. I just wanted to clarify our position and thinking.
Multi-factor authentication (MFA) is a safe option to protect data, and the more layers of security you have, the safer your data is. However many organizations are failing with MFA. The report reflects this reality and emphasizes the frustration both end-users have, and IT managers face, with MFA solutions that prove complex, costly and disruptive to existing infrastructure.
IS Decisions’ argument, therefore, is that if an alternative to MFA exists that doesn’t impede end users OR frustrate IT Managers but ticks all the security boxes, then that alternative is worth investigating.
For example, context-aware security can grant or deny access based on contextual rules set up by the IT department. You could restrict individual’s network access to certain workstations located in particular departments on your office premises.
Or you could set up rules restricting access to certain connection types (IIS, Wi-Fi, VPN) so employees can continue to work on the go, or even restrict access to particular times of day, location or by a maximum number of concurrent sessions.
Restricting access in this way means that even if a cybercriminal gets their hands on an employee’s password, they still won’t be able to get access, meaning sensitive data remains safe. Crucially, this form of transparent access security doesn’t impede the end user like multi-factor authentication does, can complement any existing security technology you’ve already got in place, and is dead easy to set up and manage.
Without these alternatives, it avoids the very real case of organizations failing with MFA and leaving the network protected by only native passwords.
Warm regards,
François